iptables to nftables Converter
Paste iptables rules or iptables-save output and get an equivalent nftables ruleset.
Client-side only — nothing leaves your browser
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept
ct state established, related accept
ip protocol tcp tcp dport 22 accept
ip protocol tcp tcp dport 80 accept
ip protocol tcp tcp dport 443 accept
meta l4proto icmp accept
log prefix "iptables-dropped: "
drop
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
iifname "eth0" ip protocol tcp tcp dport 8080 dnat to 10.0.0.5:80
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth0" masquerade
}
}
About the iptables to nftables Migration
nftables is the modern replacement for iptables, ip6tables, arptables, and ebtables on Linux. It replaces the legacy xtables framework with a single, unified syntax built on top of the netfilter subsystem. Most major distributions — including Debian 10+, Ubuntu 20.04+, RHEL 8+, and Arch — ship with nftables as the default backend, and the legacy iptables command is now usually a wrapper (iptables-nft) that translates rules into nftables behind the scenes.
This converter parses an iptables-save dump (or individual -A rules) and emits a clean nftables ruleset using the inet family for filter rules and ip for NAT — the same structure produced by iptables-translate from the nftables project, but in your browser with no install required.
iptables to nftables Syntax Mapping
The most common iptables flags and their nftables equivalents:
| iptables | nftables |
|---|---|
| -p tcp | ip protocol tcp |
| --dport 22 | tcp dport 22 |
| --sport 1024:65535 | tcp sport 1024-65535 |
| -s 192.168.1.0/24 | ip saddr 192.168.1.0/24 |
| -d 10.0.0.1 | ip daddr 10.0.0.1 |
| -i eth0 | iifname "eth0" |
| -o eth1 | oifname "eth1" |
| -m conntrack --ctstate ESTABLISHED,RELATED | ct state established, related |
| -j ACCEPT | accept |
| -j DROP | drop |
| -j REJECT --reject-with tcp-reset | reject with tcp reset |
| -j MASQUERADE | masquerade |
| -j DNAT --to-destination 10.0.0.5:80 | dnat to 10.0.0.5:80 |
| -j SNAT --to-source 1.2.3.4 | snat to 1.2.3.4 |
| -j LOG --log-prefix "drop: " | log prefix "drop: " |
| -N MYCHAIN | chain MYCHAIN { ... } |
| -j MYCHAIN | jump MYCHAIN |
Tables, Chains, and Hooks
In nftables, you create tables explicitly and attach chains to netfilter hooks with a priority. The converter uses these mappings:
| iptables table/chain | nftables family | Hook | Priority |
|---|---|---|---|
| filter / INPUT | inet | input | filter (0) |
| filter / FORWARD | inet | forward | filter (0) |
| filter / OUTPUT | inet | output | filter (0) |
| nat / PREROUTING | ip | prerouting | dstnat (-100) |
| nat / POSTROUTING | ip | postrouting | srcnat (100) |
| mangle / * | inet | (matches chain) | mangle (-150) |
Applying the Converted Ruleset
Save the output as /etc/nftables.conf and load it. Always test interactively over a console you can recover from before enabling at boot:
# Test the ruleset without applying
sudo nft -c -f /etc/nftables.conf
# Apply it
sudo nft -f /etc/nftables.conf
# Verify what is loaded
sudo nft list ruleset
# Enable on boot
sudo systemctl enable --now nftables
Frequently Asked Questions
What is the difference between iptables and nftables?
iptables is the legacy Linux firewall built on the xtables framework, with a separate command for each protocol (iptables, ip6tables, arptables, ebtables) and a fixed set of tables and chains. nftables is its modern replacement: a single command (nft) with a unified syntax that handles IPv4, IPv6, ARP, and bridge traffic in one ruleset. Under the hood, nftables uses a virtual machine in the kernel that compiles your rules into bytecode, which is faster and more flexible than xtables. It also adds first-class support for sets, maps, named counters, intervals, and atomic ruleset reloads — features that required iptables-restore tricks or external tools like ipset before.
Can iptables and nftables work together on the same system?
Yes, but with caveats. The two frameworks both attach to netfilter hooks, so they coexist at the kernel level — packets traverse rules from both in priority order. On modern distros, the iptables command is usually iptables-nft, a compatibility shim that writes nftables rules under the hood, which avoids most conflicts. The legacy iptables-legacy binary uses the old xtables backend and runs in parallel, which can cause confusing behavior because rules from each backend are invisible to the other. The recommended path is to pick one: either run pure nftables, or stick with the iptables-nft compatibility layer until you migrate. Mixing iptables-legacy and nftables on a production firewall is a debugging nightmare best avoided.
Does nftables replace iptables on Debian and Ubuntu?
Yes. Debian made nftables the default backend in Debian 10 (Buster) in 2019, and Ubuntu followed in 20.04 LTS. On both distros, the iptables package now installs iptables-nft by default, so existing scripts that call iptables continue to work — but the rules end up in the nftables kernel subsystem, not the legacy xtables one. You can confirm this with iptables -V, which shows (nf_tables) in the version string. RHEL/CentOS/Rocky 8+ and Fedora 32+ also default to nftables, typically managed through firewalld which uses nftables as its backend.
How do I check whether my system is using iptables or nftables?
Run iptables -V — if the output ends with (nf_tables), the iptables command is the nftables-backed shim and your rules live in nftables. If it ends with (legacy), you are on the original xtables backend. You can also list active nftables rules directly with sudo nft list ruleset; if it returns content, nftables is in use. Finally, lsmod | grep nf_tables shows whether the kernel module is loaded. On systemd-based distros, systemctl status nftables tells you whether the persistent ruleset service is enabled.
Is nftables actually faster than iptables?
For typical rulesets with a handful of rules, the difference is imperceptible. nftables shows clear performance wins once your ruleset grows — especially with hundreds or thousands of address/port matches — because it uses sets and maps with O(log n) lookups instead of iptables' linear chain traversal. nftables also has lower per-packet overhead in its bytecode VM than xtables' module-by-module dispatch, and it supports flowtable offload for established connections that bypasses the normal rule walk entirely. The bigger practical wins are usually maintainability: atomic reloads, named sets you can update without rewriting rules, and a single syntax across IPv4 and IPv6.
Related Tools
Need to manage SSH connections?
SSH Workbench lets you connect, browse files, and manage servers visually.
Try SSH Workbench Free