nftables vs iptables
nftables is the modern replacement for iptables on Linux. It uses a cleaner syntax, supports both IPv4 and IPv6 in a single ruleset (inet family), and is the default on Debian 10+, Ubuntu 20.04+, and RHEL 8+.
iptables is still widely used and available everywhere. It requires separate ip6tables commands for IPv6. On systems with nftables, iptables is often emulated via iptables-nft.
Applying nftables Rules
sudo nft -f /etc/nftables.conf — Apply rules from file.
sudo systemctl enable --now nftables — Enable and start the nftables service (loads /etc/nftables.conf on boot).
sudo nft list ruleset — Show current active rules.
sudo nft flush ruleset — ⚠️ Remove all rules immediately.
Applying iptables Rules
sudo iptables-restore < /etc/iptables/rules.v4 — Apply saved rules.
On Debian/Ubuntu, install iptables-persistent: sudo apt install iptables-persistent. Rules in /etc/iptables/rules.v4 and rules.v6 are automatically loaded on boot.
sudo iptables -L -n -v — List active rules with packet counts.
sudo iptables -F — ⚠️ Flush (delete) all rules.
Common Patterns
Allow SSH from specific IP only: Source = 203.0.113.1, Protocol = tcp, Port = 22, Chain = INPUT, Action = accept. Add a DROP rule for port 22 from any to block all others.
Rate limit connections: Use the limit match in nftables or -m limit in iptables to throttle connection rates (e.g., max 10/second).
Port forwarding (DNAT): Requires a PREROUTING rule in the nat table — use a manual rule in the generated output.
Protocol Values
tcp — HTTP, HTTPS, SSH, SMTP, most services.
udp — DNS, WireGuard VPN, DHCP, gaming.
icmp / icmpv6 — Ping and network diagnostics.