In CentOS/RHEL 8, the default iptables network packet filtering framework been replaced with the nftables framework. As the designated successor to iptables, ip6tables, arptables, and ebtables, the nftables framework includes packet classification facilities and several improvements, which provide added convenience and improved performance over the previously used packet-filtering tools.
In this post we will discuss on how to migrate existing iptables rules to nftables in CentOS/RHEL 7.
Display Exiting iptable rules in CentOS/RHEL 6,7
To Display the Existing rule on CentOS/RHEL 6,7 Server:
# iptables -L DROP udp -- anywhere anywhere multiport dports epmap,microsoft-ds DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 DROP tcp -- anywhere anywhere multiport dports epmap,netbios-ssn,microsoft-ds
Steps
1. To save the existing rules to a file, run below command:
# iptables-save > rules.iptables
2. Move the step1 file to CentOS/RHEL 8 Server via scp or ftp. You can use vi editor as well to copy the content from CentOS/RHEL 6 or 7 machine.
3. Run the below command to generate the nft rules file on CentOS/RHEL 8 with iptables rules file.
# iptables-restore-translate -f rules.iptables > rules.nft
4. Load the rules in CentOS/RHEL 8 machine, make sure nftables service is running on the system.
# nft -f rules.nft ### load the rule via nft to nftables.
5. To Display rule in CentOS/RHEL 8 Server .
# nft list ruleset
You can see the rules have been migrated from CentOS/RHEL 6 or 7 to CentOS/RHEL 8 server now and can test them as well.