nftables is the successor to iptables with better syntax and performance. Unlike iptables, it provides unified management of IPv4, IPv6, and ARP rules within a single framework. The syntax is more readable and enables atomic updates of entire rule sets, eliminating the risk of inconsistent state during changes. The nf_tables kernel module is more efficient and supports native sets for bulk matching of addresses and ports.
nftables¶
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
nft add rule inet filter input ct state established,related accept
nft add rule inet filter input tcp dport { 22, 80, 443 } accept
nft list ruleset
Rules should be saved to a file and loaded with nft -f /etc/nftables.conf. During changes, the entire rule set is replaced atomically, preventing brief security gaps. For advanced scenarios, you can use maps and verdict maps for dynamic traffic routing.
Firewalld¶
firewall-cmd --list-all
firewall-cmd --add-service=http --permanent
firewall-cmd --reload
Firewalld works with zones — each network interface is assigned to a zone with its own set of rules. The public zone is default for untrusted networks, trusted allows everything, and drop discards all incoming traffic. Firewalld internally uses nftables as its backend and provides a higher-level abstraction suitable for administrators who do not need granular control.
When to Use Which¶
- nftables — full control, custom rules, NAT, load balancing
- firewalld — simpler management, RHEL/CentOS, zone model
- iptables — legacy, migrate away
Migrate to nftables¶
Use nftables or firewalld for new projects. Existing iptables rules can be converted using iptables-translate and ip6tables-translate, which generate equivalent nftables syntax.