Skip to main content

Overview

RHEL 9 uses nftables as the default backend for the firewall. The iptables commands in RHEL 9 are actually wrappers around nftables (iptables-nft) or the legacy backend (iptables-legacy), depending on installation.
Direct migration ensures existing firewall rules are preserved while moving to a modern, unified syntax.

Key Points

  • RHEL 9 uses nftables as the default backend
  • iptables commands are wrappers around nftables (iptables-nft) or legacy (iptables-legacy)
  • Direct migration preserves existing firewall rules
  • Modern, unified syntax for better management

Step-by-Step Migration

1

Check Current iptables Setup

Export all IPv4/IPv6 rules to backup files:
sudo iptables-save > ~/iptables.rules
sudo ip6tables-save > ~/ip6tables.rules
Inspect these files for custom chains or scripts you need to port manually.
Check which iptables version your system uses:
sudo alternatives --display iptables
You should see something like:
iptables - manual mode
link currently points to /usr/sbin/iptables-nft
If it points to iptables-legacy, switching is recommended.
2

Install nftables

Install and enable nftables service:
sudo dnf install nftables -y
sudo systemctl enable --now nftables
Rules are stored in /etc/nftables/ or /etc/sysconfig/nftables.conf depending on RHEL version.
3

Convert iptables Rules to nftables

RHEL 9 provides a script iptables-translate to convert rules:
sudo iptables-restore-translate -f ~/iptables.rules > ~/nftables.rules
sudo ip6tables-restore-translate -f ~/ip6tables.rules >> ~/nftables.rules
Important: Review the file carefully — some complex chains may need manual adjustments.
4

Test nftables Rules (Optional)

Before applying permanently, test the rules:
sudo nft -f ~/nftables.rules
Check current nftables state:
sudo nft list ruleset
Test connectivity (SSH, web, VPN, etc.) to make sure nothing breaks.
5

Persist nftables Rules

Copy the rules to the nftables configuration file:
sudo cp ~/nftables.rules /etc/sysconfig/nftables.conf
sudo systemctl enable --now nftables
Apply the changes:
sudo systemctl restart nftables
6

Disable iptables Service

To avoid conflicts, disable the iptables service:
sudo systemctl stop iptables ip6tables
sudo systemctl disable iptables ip6tables
Confirm nftables is handling firewall rules:
sudo nft list ruleset
7

Switch iptables to NFT Backend (Optional)

Even after migration, you can keep using iptables commands but backed by nftables:
sudo alternatives --set iptables /usr/sbin/iptables-nft
sudo alternatives --set ip6tables /usr/sbin/ip6tables-nft
This ensures compatibility with scripts that still call iptables.

Key Tips

Backup

Always backup original iptables rules before migration

Test First

Test rule-by-rule on a staging host if possible

Verify

Use nft list ruleset frequently to verify rule loading

Avoid Mixing

Avoid mixing iptables-legacy and nftables — choose one backend to prevent conflicts

Build docs developers (and LLMs) love

Get started for freeTalk to us