0 Linux Firewalling - Moving from iptables to nftables - kevwells.com

Linux Firewalling – Moving from iptables to nftables

by

Why Firewalls Still Matter

Despite cloud hype, perimeter and host firewalls remain the frontline of security. Every year, unfiltered services (SSH, RDP, databases) are scanned within minutes of going online. The problem: many environments still rely on iptables, even though it is now legacy.

nftables is the modern replacement, offering unified configuration, better performance, and easier integration with automation tools.

nftables Baseline Checklist

  1. Install nftables 
    apt install nftables   # Debian/Ubuntu yum install nftables   # RHEL/CentOS systemctl enable --now nftables
  2. Basic Ruleset Example 
    table inet filter {     chain input {         type filter hook input priority 0;         policy drop;         # allow loopback         iif lo accept         # allow established connections         ct state established,related accept         # allow SSH         tcp dport 22 accept         # allow ICMP (ping)         icmp type echo-request accept     } }
  3. Test & Save Rules 
    nft list ruleset nft list ruleset > /etc/nftables.conf
  4. Integration with Ansible
    Modules like ansible.posix.nftables allow idempotent firewall configs across fleets.

Applied Example: Restricting SSH to Corporate IPs

tcp dport 22 ip saddr 203.0.113.0/24 accept

→ blocks opportunistic scans, only allows from corporate VPN addresses.

Why Clients Care

  • Reduced Attack Surface: Cuts out 99% of commodity botnet traffic.
  • Modernisation: Future-proof vs iptables deprecation.
  • Auditor Friendly: Documented rulesets prove proactive controls.

Security gaps in Linux and cloud systems risk downtime, data compromise, lost business — and compliance failures.

With 20+ years’ experience and active UK Security Check (SC) clearance, I harden Linux and cloud platforms for government, corporate, and academic sectors — ensuring secure, compliant, and resilient infrastructure.

Contact for Contract Assignments

Related posts:

  1. Hardening sudo and PAM – Privilege Control in Linux
  2. Linux Account Hygiene – Stopping Insider Threats Before They Start
  3. VPNs, Bastion Hosts, and Secure Remote Access
  4. Vulnerability Scanning with OpenVAS (Greenbone)