by: Babin LonstonPosted on: August 28, 2019March 6, 2022
Table of Contents
Introduction
In today’s guide let’s walk through how to migrate iptables to nftables from any RHEL 6 or 7 Linux servers to RHEL 8 based operating systems. The feature of migrating iptables to nftables eliminates a lot of pain in rewriting complex iptables rules.
Currently, we are running on RHEL 7, The requirement is to migrate our running production from RHEL 7 to 8. In this case, we need more flexibility during the whole migration process. To make the migration smoother RHEL 8 and variants comes with “iptables-restore-translate” command which helps to migrate the existing iptables rules to nftables.
Before starting with migration, let’s prepare by saving the rules to a file.
If you are looking to start with SELinux, click to read now
Export IPtables to a file
First of all, we need to save all our iptables rules by redirecting to a file in any name and extension. This is simple as we do in our usual daily activities.
# iptables-save > iptables_rules.txt
Next step to verify.
Verify the Existing Rules
To verify the saved rules just do a cat and go through the rules. Make sure to confirm whether all the rules are saved.
# cat iptables_rules.txt
It’s confirmed we have only a few rules as shown below.
[root@sysadmins ~]# cat iptables_rules.txt # Generated by iptables-save v1.4.21 on Tue Aug 27 23:47:24 2019*filter:INPUT ACCEPT [107:10038]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [62:8606]-A INPUT -p udp -m udp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT-A INPUT -p udp -m udp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -p tcp -m tcp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 5269 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPTCOMMIT# Completed on Tue Aug 27 23:47:24 2019[root@sysadmins ~]#
Once the rules are saved, copy the file “iptables_rules.txt” to the destination server running on RHEL 8 based operating system.
Convert the Iptables to nftables
On the RHEL 8 based operating system, Start to convert the iptables rules by running translate command by specifying the copied iptables file and redirect the output to save as nft rules.
# iptables-restore-translate -f iptables_rules.txt > nft_ruleset.nft
we have converted our iptables rules to nftables.
Load and Import the rules
Load the rules using -f option by specifying the converted “nft_ruleset.nft” rules file.
# nft -f nft_ruleset.nft
Once run with the above command we are done with import the rules into nft.
List and verify the nftables
Finally, list and verify the imported rules.
# nft list ruleset
While listing, We should see as shown below.
[root@spacewlk ~]# nft list rulesettable ip filter {chain INPUT {type filter hook input priority 0; policy accept;udp dport ldaps ct state established,new counter packets 0 bytes 0 accepttcp dport ldaps ct state established,new counter packets 0 bytes 0 acceptudp dport ldap ct state established,new counter packets 0 bytes 0 acceptct state new tcp dport ssh counter packets 0 bytes 0 accepttcp dport ldap ct state established,new counter packets 0 bytes 0 acceptct state new tcp dport xmpp-server counter packets 0 bytes 0 acceptct state new tcp dport xmpp-client counter packets 0 bytes 0 acceptct state new tcp dport https counter packets 0 bytes 0 acceptct state new tcp dport http counter packets 0 bytes 0 accept}chain FORWARD {type filter hook forward priority 0; policy accept;}chain OUTPUT {type filter hook output priority 0; policy accept;ct state new tcp dport ssh counter packets 0 bytes 0 acceptct state new tcp dport https counter packets 0 bytes 0 acceptct state new tcp dport http counter packets 0 bytes 0 accept}}
That’s it we have successfully migrated our existing iptables rules to nftables without spending time on writing any nftable rules.
Conclusion
Migrate iptables to nftables: Availability of convert tool made life easier with few steps. Subscribe to our newsletter and stay tuned for upcoming Linux articles. Your feedback is welcome through below comment section.