Migrating Debian Buster from iptables to nftables

In the next major release, Debian will be changing firewall providers from iptables to nftables. There’s many more features and a more streamlined config syntax with nftables, so this will be a welcome change. Unfortunately, it means learning a lot of new stuff and leaving the comfort of the existing and well-documented land of iptables.

Here’s what you need to do in order to migrate your Debian machine from iptables to nftables.

Before we begin

For this guide, we’ll assume you’re using Debian Buster (Debian 10).

During this process, we’ll be removing your current firewall rules and putting a new firewall system in place. Be aware that the following undesirable issues may arise:

Migration steps

Step one — Migrate your iptables rules to nftables rules.

Step two — Validate the rules you’ve written are error-free:

Step three — Put your new rules into effect.

Step four — Uninstall iptables.

Note: Uninstalling iptables strangely removes nftables, probably because of the legacy connection between the two systems. Don’t worry, we’ll put nftables right back. (You might want to copy your rule file /etc/nftables.conf to another location, just in case it’s wiped out during this step.)