Linux's Next-Generation Firewall


Article from Issue 195/2017

Nftables promises to be the future of Linux firewalls. Meet iptables' replacement.

Q: Why should I be concerned about what Christian hip-hop artist Nate Feuerstein does with his tables?

A: Not NF's tables, but nftables (or Netfilter tables). It's the name of the next-generation firewall for Linux.

Q: Firewall? That sounds like a pretty horrible thing. Even if the fire doesn't spread, the smoke damage would be catastrophic for the interior decoration. I can't imagine it'd be too good for the computer either, especially as the fan that's supposed to keep the CPU cool would only make the fire hotter. You can keep your pyromania to yourself, thank you very much.

A: Just on the off chance that you're not being deliberately difficult, a firewall is a bit of software that looks at all the network traffic going in or out of your machine and decides if it should be let through or not. These can be as simple or complex as you like. For example, a really basic firewall would let any outbound connections through (so you could get data from other machines) but not any inbound connections (so no one could request data from you). If you then decided to run a web server on this machine, you'd have to open up port 80 so that browsers could connect to you.

Q: Hang on, I'd need 80 ports? I've only got one Ethernet connection. Where would I get the other 79?

A: In IP networking (which is almost all networking these days), you need two identifying things when connecting to the other computer. There's the IP address, which locates the machine to which you want to connect, and there's a port number, which identifies the software you want to connect to on that machine. The port number doesn't refer to a physical port but is just a reference, so the machine receiving the connection knows where to send the data.

On any machine, only one piece of software can be listening on a given port, so the kernel forwards all data to that software. All ports are the same, so in principle you could have any software listening on any port number, but a few conventions make life a little easier. For example, web servers usually listen on port 80 (for HTTP) and 443 (for HTTPS), so when you use a web browser, it will always try to use these ports unless you specify a different port, which is done by adding a colon and then the port number after the web server domain name.

Q: Ah, OK. So all I have to do is tell my firewall what services I want to run, and it'll open up those ports?

A: Well, that would be a very basic setup. Firewalls can do quite a lot more than this, though. The current standard Linux firewall, iptables, allows you to do things like limit access to certain services to particular machines (usually identified by IP address), log particular events, and even block people who are repeatedly trying to guess passwords. All together, the iptables firewall is a large part of most Linux setups' security.

Q: This all sounds quite useful. I should get a firewall.

A: If you're using Linux, you probably already have one, and it's probably iptables. You can see what it's currently doing by entering the following at the command line:

sudo iptables --list

This will give you a list of rules. For each packet, the firewall starts at the top, and each rule is a pattern to match that might contain a port, an IP address, or some other way of matching a packet. Each rule has either an accept, reject, or log action. If the packet matches that rule, the firewall performs the action; if it doesn't, it moves onto the next rule until it gets to the bottom. If nothing matches, the firewall accepts the packet. Nftables works in much the same way.

Q: OK. If iptables is so popular and nftables works in much the same way, why should I bother with nftables?

A: That's an excellent question. Iptables is a mature, well-understood technology that you shouldn't be in a rush to get rid of, but at the same time, it does have some weaknesses. For example, iptables only works with IPv4, which is still the most common version of the IP protocol, but IPv6 is slowly becoming more used. There is an IPv6 equivalent (rather unimaginatively called ip6tables), but this means that you have to duplicate all your work to make sure you stay secure on a machine that supports both versions (and you should support both versions if possible).

The second major difference is that the rule syntax allows more concise expression. In many cases, rules that would have taken many lines of iptables rules can be done in a single line with nftables. This might not seem like a huge deal if you're only using small rulesets, but it's not uncommon for server setups to have iptables configurations that span several hundred lines, and shortening this makes it much easier to maintain.

Beyond this, there are a few advantages for larger setups, such as faster updating of rules, but these are only really applicable to large data centers.

In short, there are no major problems with iptables, but nftables is a bit better and likely to be the future of firewalls on Linux.

Q: When can I get started with nftables?

A: Right now [1]. Well, depending on your distro, that is. Support for nftables first came into Linux with kernel version 3.13, which was back in January 2014, so most modern distros should have it available (although you might have to install a package from the repository to get it to work) [2]. If you're using a slow-moving enterprise distro, you might have to upgrade to get support. Take a look at your distro's documentation for more details.

Q: So, I guess this begs the question: Should I be using iptables or nftables?

A: There's no simple answer to that. If you're currently using iptables and it's working for you, then there's no pressing need to switch at the moment. On the other hand, if you're not using a firewall, or learning how to configure them for the first time, then you might want to consider nftables, because it's likely to be the future of Linux firewalls.


  1. Want to get up and running with nftables? The project website ( has more information than you could possibly want.
  2. Nftables has been part of the Linux Kernel since version 3.13, but it needs to be selected before compiling, so make sure to select the right options if you build your own.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Persistent iptables

    The Linux iptables packet filter lacks an easy way to load rules automatically after restarting a system, but you can automate this process several ways.

  • Charly's Column: UFW

    Things were better back then. No way! Charly takes a look back at the bad old firewall days and explains why things are better today – assuming you have the right tools.

  • KTools: KMyFirewall

    Linux has a fantastic selection of firewalls for securing stand-alone computers or whole networks. Although you can use IPTables to set up a firewall, the configuration is often the most difficult step. KMyFirewall offers a powerful, user-friendly, GUI-based approach.

  • Firewall Logfile Analyzers

    Netfilter firewalls create highly detailed logfiles that nobody really wants to inspectmanually. Logfile analysis tools like IPtables Log Analyzer,Wallfire Wflogs,and FWlogwatch help administrators keep track of developments and filter for importantmessages.

  • New Kernel Firewall Nftables to Succeed Netfilter

    The Netfilter team has long been mulling over rework of firewall code in the Linux kernel. Now team lead Patrick McHardy ends months of work by announcing nftables.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95


njobs Europe
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia