1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • iptables to nftables?

    From Wesley@21:1/5 to All on Tue Aug 6 13:10:01 2024
    We have several debian servers, all running iptables. On average each has 200 rules, mostly deny rules. From a best practice perspective, do we need to upgrade to nftables?

    Thanks & regards.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dan Ritter@21:1/5 to Wesley on Tue Aug 6 16:40:01 2024
    Wesley wrote:
    We have several debian servers, all running iptables. On average each has 200 rules, mostly deny rules. From a best practice perspective, do we need to upgrade to nftables?


    iptables is currently implemented in terms of nftables. While it
    is possible that someday that interface will be removed, you
    don't need to do anything until you see that day arriving.

    200 is a lot for a human to manage. You may be able to simplify your
    iptables rules by taking advantage of ipset for large numbers of
    IPs (hash:ip) or ports (bitmap:port) that need similar
    treatment. That's available in nftables as well.


    -dsr-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Michel Verdier@21:1/5 to Dan Ritter on Tue Aug 6 21:20:02 2024
    On 2024-08-06, Dan Ritter wrote:

    200 is a lot for a human to manage. You may be able to simplify your
    iptables rules by taking advantage of ipset for large numbers of
    IPs (hash:ip) or ports (bitmap:port) that need similar
    treatment. That's available in nftables as well.

    And udp/tcp ipv4/ipv6 can be mixed in some rules.
    But check also if your other programs can use nftables.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)