iptables vs nftables: key differences and migration
Compare iptables and nftables syntax, performance, and features — and understand the migration path.
iptables vs nftables: key differences and migration
iptables and nftables both filter network packets on Linux, but nftables provides a unified syntax, better performance, and is the default on modern distributions.
How iptables Filters Packets
iptables uses separate command-line tools for each protocol family:
iptables (IPv4),
ip6tables (IPv6),
arptables (ARP), and
ebtables (bridging). Rules are organized into pre-defined tables (filter, nat, mangle, raw) with pre-defined chains (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING). Each rule specifies a match and a target action.
How nftables Filters Packets
nftables uses a single command (
nft) for all protocol families. Tables and chains are user-defined — there are no pre-existing tables or chains. nftables supports sets, maps, and concatenations for efficient matching of multiple values. The syntax is more consistent and expressive than iptables.
Feature Comparison: iptables vs nftables
| Feature | iptables | nftables |
|---|---|---|
| Command-line tools | 4 separate tools (
iptables,
ip6tables,
arptables,
ebtables) | 1 unified tool (
nft) |
| Tables and chains | Pre-defined (filter, nat, mangle) | User-defined (fully custom) |
| Rule matching | Linear — evaluated sequentially | Sets and maps for O(1) lookups |
| Atomic rule replacement | Not supported — rules replaced one by one | Supported — entire ruleset replaced atomically |
| Default on Debian 10+ | No (compatibility wrapper
iptables-nft) | Yes |
| Default on RHEL 8+ | No (compatibility wrapper) | Yes |
| Persistence | Requires
iptables-persistent | Built-in via
/etc/nftables.conf |
| Migration tool | N/A | iptables-translate converts iptables rules to nft syntax |
When to Use iptables
Use iptables when managing legacy systems that predate nftables adoption, when third-party tools (Fail2Ban, Docker) require iptables compatibility, or when existing automation depends on iptables syntax. The
iptables-nft compatibility layer on modern distributions translates iptables commands to nftables rules internally.
When to Use nftables
Use nftables for new firewall configurations on modern distributions. nftables provides better performance with large rule sets (set-based matching), atomic rule updates (no packet loss during reconfiguration), and a cleaner syntax. For migrating existing rules, use
iptables-translate to convert individual rules or
iptables-restore-translate for entire rulesets.