/

iptables-restore-translate (8) Linux Manual Page

ByLinux Manual Posted on Updated on

iptables-translate — translation tool to migrate from iptables to nftables

ip6tables-translate — translation tool to migrate from ip6tables to nftables

Description

There is a set of tools to help the system administrator translate a given ruleset from iptables(8) and ip6tables(8) to nftables(8). The available commands are:

iptables-translate

iptables-restore-translate

ip6tables-translate

ip6tables-restore-translate

Usage

They take as input the original iptables(8)/ip6tables(8) syntax and output the native nftables(8) syntax.

The iptables-restore-translate tool reads a ruleset in the syntax produced by iptables-save(8). Likewise, the ip6tables-restore-translate tool reads one produced by ip6tables-save(8). No ruleset modifications occur, these tools are text converters only.

The iptables-translate reads a command line as if it was entered to iptables(8), and ip6tables-translate reads a command like as if it was entered to ip6tables(8).

Examples

Basic operation examples. Single command translation: 

root [at] machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
root [at] machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept

Whole ruleset translation: 

root [at] machine:~# iptables-save > save.txt
root [at] machine:~# cat save.txt
# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016
*filter
:INPUT ACCEPT [5166:1752111]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5058:628693]
-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Dec 24 14:26:40 2016
root [at] machine:~# iptables-restore-translate -f save.txt
# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; }
add chain ip filter FORWARD { type filter hook forward priority 0; }
add chain ip filter OUTPUT { type filter hook output priority 0; }
add rule ip filter FORWARD tcp dport 22 ct state new counter accept
root [at] machine:~# iptables-restore-translate -f save.txt > ruleset.nft
root [at] machine:~# nft -f ruleset.nft
root [at] machine:~# nft list ruleset
table ip filter {
 chain INPUT {
 type filter hook input priority 0; policy accept;
 }
 chain FORWARD {
 type filter hook forward priority 0; policy accept;
 tcp dport ssh ct state new counter packets 0 bytes 0 accept
 }
 chain OUTPUT {
 type filter hook output priority 0; policy accept;
 }
}

Limitations

Some (few) extensions may be not supported (or fully-supported) for whatever reason (for example, they were considered obsolete, or we didn’t have the time to work on them).

There are no translations available for ebtables(8) and arptables(8).

To get up-to-date information about this, please head to https://wiki.nftables.org/.

See Also

nft(8), iptables(8)

Authors

The nftables framework is written by the Netfilter project (https://www.netfilter.org).

This manual page was written by Arturo Borrero Gonzalez <arturo [at] netfilter.org>.

This documentation is free/libre under the terms of the GPLv2+.

Leave a Reply

Your email address will not be published. Required fields are marked *