# from iptables to nftables: I need serious guidance.

## alexcortes

Hello,

I'm on kernel 3.12.14 but when the 3.14 be out I'll switch and I want to already have a working nftables script. I'm looking/trying to convert my current iptables script to nftables but I'm not firewall savvy on any way.

I'm reading several the nftables documentation I found, and it's still crazy for me and seems missing information.

My current iptbales script:

```
iptables -F

iptables -X

iptables -Z

iptables -N TCP

iptables -N UDP

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP

iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP

iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable #icmp-port-unreach

iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset #tcp-rst

iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable #icmp-proto-unreach

iptables -A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP

iptables -A TCP -s 10.0.0.0/16 -p tcp --dport 22 -j ACCEPT
```

This is the nftables tentative (where I stoped and I don't have idea if it make sense)  :Mad: :

```
nft add chain TCP

nft add chain UDP

nft add rule filter input drop

nft add rule filter input accept

nft add rule forward input drop

nft add rule filter output oif lo accept

nft add rule filter input conntrack ct state invalid counter drop

nft add rule filter input conntrack ct state established,related counter accept

nft add rule filter input type 8 conntrack ct state new counter accept

nft add rule filter input udp conntrack ct state new counter UDP

nft add rule filter input TCP tcp flags FIN,SYN,RST,ACK SYN conntrack ct state new TCP

nft add rule filter input udp ct state new reject type icmp-port-unreachable

nft add rule filter input tcp ct state new reject type tcp-reset

nft add rule filter input ct state new reject type icmp-proto-unreachable
```

Thanks!!!

----------

## SirRobin2318

First off, iptables won't be dropped in the foreseeable future, so don't feel rushed. That being said, nftables is fun  :Smile: 

A nftables rules file is a lot easier to read and maintain than a bash script with all the commands needed to achieve the state of the firewall. Have a look at this: https://wiki.archlinux.org/index.php/Nftables

Have a go at converting your script to that syntax, there's all you need on that wiki for basic tcp/udp, ct, tcp flags. If something isn't covered by it, we'll have a look at http://lwn.net/Articles/324251/ and get it working.

Then post what you come up with, and we'll have a look. I can even test your rules, but if you want to do so yourself you just need a 3.13 kernel. 

```
=sys-kernel/gentoo-sources-3.13.5 ~amd64

=net-libs/libnftnl-1.0.0-r2 ~amd64

=net-firewall/nftables-0.099 ~amd64

=app-arch/lz4-0_p106-r1 ~amd64
```

and then:

```
emerge -a nftables
```

And you're good to go  :Smile: 

----------

## alexcortes

@SirRobin2318

Thank you for your input. I will leave it for a while until the 3.14 out, I don't want to compile the 3.13.X now and next week the 3.14.  :Smile: 

----------

## 666threesixes666

please document as you go https://wiki.gentoo.org/wiki/Nftables is pretty baron.  even if you slaughter formatting ill come by and fix it eventually.

----------

## SirRobin2318

@666

you can take this: https://wiki.archlinux.org/index.php/Nftables#Limit_rate_and_tcp_flags_IP.2FIPv6_Firewall

I'm the one that contributed it.

----------

