IPtables rules to NFTables rules

[user2837961]

OS: Debian 11 x86_64

I am looking to convert some of my iptable rules to nftables.
I have tried to use iptables-translate, but it is not translating all of my rules.

My original iptables script:

#!/bin/sh

sudo apt install iptables

# accept ports 500 and 4500, required for IKEv2
sudo iptables -A INPUT -p udp --dport  500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT

# forward ESP
sudo iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s 10.1.1.1/24 -j ACCEPT
sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.1.1.1/24 -j ACCEPT

# more forwarding
sudo iptables -t nat -A POSTROUTING -s 10.1.1.1/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.1.1.1/24 -o eth0 -j MASQUERADE

# fix fragmentation
sudo iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.1.1.1/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

sudo apt install iptables-persistent

# make persistent
sudo netfilter-persistent save
sudo netfilter-persistent reload

The equivalent nftables script would be something like this ...

#!/bin/sh

sudo apt install nftables
# Enable NFTables  as a service and start
sudo systemctl enable nftables
sudo systemctl start nftables

# ------------
# ????? nftable rules here ????
# ------------

sudo nft list ruleset > /etc/nftables.conf

Can anyone please assist in providing the equivalent nftable rules?

 

[f33dm3bits]

Chapter 47. Getting started with nftables Red Hat Enterprise Linux 8 | Red Hat Customer Portal

Access Red Hat’s knowledge, guidance, and support through your subscription.

access.redhat.com

 

[user2837961]

Chapter 47. Getting started with nftables Red Hat Enterprise Linux 8 | Red Hat Customer Portal

Access Red Hat’s knowledge, guidance, and support through your subscription.

access.redhat.com

Thankyou for the link. I have already read through the guides but am still unable to translate my iptable rules, hence the request in this forum for help in translating my specific rules.

 

[KGIII]

I have no experience with this, but found this link yesterday.

Moving from iptables to nftables - nftables wiki

wiki.nftables.org

I share it now as it seems nobody else really has a more direct answer. But, from reading the link, it doesn't look too taxing.

 

[f33dm3bits]

I have no experience with this, but found this link yesterday.

Moving from iptables to nftables - nftables wiki

wiki.nftables.org

I share it now as it seems nobody else really has a more direct answer. But, from reading the link, it doesn't look too taxing.

Strange this morning that wiki wasn't working(as in the dns name wasn't resolvable anymore) so I wasn't able to browse to the article, it's working again it seems. I rewrote my iptables setup to nftables a year ago or so by going through the nftables wiki and the Rhel nftables documentation. I'm no expert on iptables or nftables so if I was able to do it with soms effort so should you.

Probably depending on your distribution you can either write your configuration to one of this places:
- /etc/nftables.conf (file)
- /etc/sysconfig/nftables.conf (file)
- /etc/nftables (directory) - place your configuration in this directory and it will load.

 

[f33dm3bits]

Configuring tables - nftables wiki

wiki.nftables.org

Configuring chains - nftables wiki

wiki.nftables.org

Performing Network Address Translation (NAT) - nftables wiki

wiki.nftables.org

nftables wiki

wiki.nftables.org