nftables vs iptables vs ufw review

Last Update: 9-23-23 by Wayne Smith

Both UFW, iptables, and nftables are command-line, (or APIs), to the same netfilter services.

Netfilter, the part of the Kernal that handles network

Netfilter, which is part of the kernel, can be accessed via hooks which point to new binaries that can inspect the packet. An explaination is available on infosecwriteups. It is beyond the scope of this article to go into precedence and compatiblity of "YourTables" application.

Since it can not be accessed from bash or the terminal UFW, iptables, and nftables exist.

UFW and iptables, or UFW and nftables

There is no performance hit for using both of them; Most Linux distributions already have iptables installed as part of the distribution. And advise that UFW can be installed alongside iptables. Ubuntu Forums UFW talks to iptables or nftables.

nftables vs iptables or nftables and iptables

Fedora and others ship with nftables which has more options. RHEL has two varients for both iptables and/or nftables. The precedence when using both iptables and nftables is if iptables has a rule that matches the request its rule will be implemented first. The precedence when two rules match in iptables the first rule will be implemented.

ufw, Uncomplicated-Firewall

For ufw there isn't a situation where rules may disagree -- as ufw stands for uncomplicated firewall, and a new ufw command replaces the old one. As ufw is uncomplicate it begs the question of how complicated is iptables or how complicated can it get.

Example usage

To block the IP address of 10.10.10.10 the commands can be used.

iptables -A INPUT -j DROP -s 10.10.10.10

ufw deny from 10.10.10.10 to any

How advanced is iptables?

A NAT would be something fairly complicated. The system would need to receive a network packet, add to that packet and send it out to the internet then when a packet is received for that connection forward it to the system behind the NAT firewall, which requested it. Yes, iptable can operate as a NAT router.

Hat tip here: https://fishilico.github.io/generic-config/sysadmin/nat.html

1> Configure the firewall to do NAT:

# If the public address (192.0.2.42) is static, use this command

iptables -t nat -A POSTROUTING -s 10.13.37.0/24 -o eth0 -j SNAT --to-source 192.0.2.42

Or> if the (WAN) internet IP is not a fixed IP address for the local (LAN)

# Otherwise if the public address is dynamic, use this command

iptables -t nat -A POSTROUTING -s 10.13.37.0/24 -o eth0 -j MASQUERADE

2> Configure the firewall to allow packet forwarding:

iptables -A FORWARD -s 10.13.37.0/24 -i eth1 -o eth0 -j ACCEPT

iptables -A FORWARD -d 10.13.37.0/24 -i eth0 -o eth1 -j ACCEPT

3> Enable packet forwarding via sysctl (sysctl -w writes to /proc/sys/...):

sysctl -w net.ipv4.conf.eth0.forwarding=1

sysctl -w net.ipv4.conf.eth1.forwarding=1

# Previous entries may not exists in old kernels. In such case, use:

# sysctl -w net.ipv4.ip_forward=1

# ... which acts like: sysctl -w net.ipv4.conf.all.forwarding=1

See the article for a Persistent configuration using iptables.rules

The Uncomplicated Firewall, ufw, can not do this from the command line. Both can effectively block unwanted traffic at the network interface, with iptables being able to maintain logs of attempts, IE the difference between blocking incoming traffic vs outgoing traffic (-A INPUT vs -A OUTPUT)

Programs can use iptables or ufw as an API

fail2ban use iptables as the default firewall to block potentially harmful requests, and extends the functionality by providing a cool-down or a time period for how long an IP is going to be blocked.

For programs that need to set the firewall rules, IE fail2ban, using iptables, its default setting, is likely the best choice in these cases.