December 11, 2019 — 14:32

Author: silver  Category: linux network  Comments: Off

nftables (nft) replaces iptables:

  • Debian (10 buster) links ‘iptables’ to ‘iptables-nft’ and ‘iptables-legacy’ is actually ‘iptables’
  • RH uses nft as as preferred firewall since RHEL8 and firewalld uses nft as backend

If you haven’t switched yet you might want to ‘translate’ your current iptables rules and make other programs use nft.


rules are located in:

  • Debian /etc/nftables.conf
  • RedHat /etc/sysconfig/nftables.conf


nft list ruleset

nft list chain ip filter INPUT

nft list tables nft list table ip filter


nft flush ruleset


iptables-restore-translate -f /etc/iptables/rules.v4 > /etc/iptables/ruleset.nft

ip6tables-restore-translate -f /etc/iptables/rules.v6 > /etc/iptables/ruleset6.nft


Oddly enough the only place I could find a nft plugin was here

curl -o /usr/share/netfilter-persistent/plugins.d/15-nft


Make f2b use nft. From

  • edit ‘/etc/fail2ban/jail.local.conf’: banaction = nftables-multiport

  • add to ‘/etc/nftables.conf’: include "/etc/fail2ban.conf"

  • create ‘/etc/fail2ban.conf’:

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
        chain input {
                # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
                type filter hook input priority 100;

We use Matomo free and open source web analytics
We also use Jetpack Stats which honors DNT