Score:6

Ubuntu 21.10 switched to nftables, so why is iptables still available?

au flag

According to 21.10 release notes:

nftables is now the default backend for the firewall.

However, having installed Ubuntu 21.10, I can see I still have iptables (and ufw) installed by default:

m@m-VirtualBox:~$ whereis iptables

iptables: /usr/sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz

m@m-VirtualBox:~$ whereis ufw

ufw: /usr/sbin/ufw /usr/lib/ufw /etc/ufw /usr/share/ufw /usr/share/man/man8/ufw.8.gz

Why does this happen?

As far as I'm aware, ufw is a wrapper around iptables, not nftables.

Can I safely use these commands? Or should I take care to never type iptables or ufw in the terminal?

Score:4
gn flag

After your whereis iptables command, you should follow the files. Example, from a 20.04 server:

doug@s19:~$ whereis iptables
iptables: /usr/sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
doug@s19:~$ ls -l /usr/sbin/iptables
lrwxrwxrwx 1 root root 26 Jan 23  2020 /usr/sbin/iptables -> /etc/alternatives/iptables
doug@s19:~$ ls -l /etc/alternatives/iptables
lrwxrwxrwx 1 root root 22 Apr 18  2021 /etc/alternatives/iptables -> /usr/sbin/iptables-nft
doug@s19:~$ ls -l /usr/sbin/iptables-nft
lrwxrwxrwx 1 root root 17 Feb 28  2020 /usr/sbin/iptables-nft -> xtables-nft-multi
doug@s19:~$ ls -l /usr/sbin/xtables-nft-multi
-rwxr-xr-x 1 root root 220488 Feb 28  2020 /usr/sbin/xtables-nft-multi

So, iptables is actually using nftables.

nftables can interpret iptables syntax.

Evgeniy Berezovsky avatar
jp flag
`readlink -f` is your friend here: `readlink -f $(which iptables) -> /usr/sbin/xtables-nft-multi`
Wouter0100 avatar
in flag
`nftables can interpret iptables syntax.` is not _really_ true and should apparently not be used together. See [here](https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables#).
Score:3
cn flag

I don't have all the answers to your questions but I do have some of them.

UFW is a firewall abstraction layer that can use either iptables or nftables as the back-end firewall. It's just Ubuntu's handy helper, much like Firewalld + firewall-cmd are for Red Hat variants.

A fresh server installation of Ubuntu 21.10 Server shows exactly what you are seeing - that in fact the back-end is still using iptables on a standard server installation.

xtables-nft-multi (or simply xtables-multi)'s manpage shows an explanation:

xtables-nft are versions of iptables that use the nftables API. This is a set of tools to help the system administrator migrate the ruleset from iptables(8), ip6tables(8), arptables(8), and ebtables(8) to nftables(8).

So far as I can tell, you are correct that while Ubuntu seems to be moving toward nftables as a replacement for iptables, they aren't there yet.

The nice thing though, is that if you've been using UFW all this time, nothing will change from a management perspective since both iptables and nftables seem to be interchangeable, since nft will accept iptables syntax, even if you have funky rules in /etc/ufw/before.rules for example.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.