![Understand Linux Firewalls: iptables to nftables](https://cdn.slatesource.com/d/2/7/d27c7274-d9e7-4e7d-9dd8-79b72eb1e403.jpg)

# Understand Linux Firewalls: iptables to nftables

- [Made in Slatesource](https://slatesource.com/u/kairenner/understand-linux-firewalls-iptables-to-nftables-1019)
- By [KaiRenner](https://slatesource.com/u/KaiRenner)
- Science & Technology
- Created on Mar 23, 2026

## A Mental Model, Not a Recipe

Most firewall guides give you commands to copy and paste. This one explains the model those commands operate on, so you can read any rule — from fail2ban, from Docker's automatic rules, from a forum post — and understand what it does before applying it. The Linux firewall is not a program running in userspace; it is a set of hooks built into the kernel's network stack, and rules are attached to those hooks to decide the fate of every packet.

The Netfilter Framework and Its Five Hooks

Netfilter is the kernel subsystem that provides packet filtering. It defines five hook points in the packet processing path: PREROUTING (hit by all incoming packets before routing decisions), INPUT (hit by packets destined for the local machine), FORWARD

How iptables Tables Map to Hooks

iptables organizes rules into tables by purpose. The filter table handles accepting and dropping packets and attaches to INPUT, FORWARD, and OUTPUT. The nat table handles address translation and attaches to PREROUTING and POSTROUTING. The mangle table han

The iptables to nftables Migration

iptables is still widely used but has been superseded by nftables, which is available in all modern Linux distributions. nftables has a cleaner syntax, better performance, and a unified framework — there are no separate iptables, ip6tables, arptables comm

Reading nft list ruleset Output

The output of nft list ruleset shows each table, its chains, and each chain's rules in order. A chain declaration shows the hook it is attached to, the packet type it handles, and its priority. Rules inside chains read left to right: they match a set of c

Connection Tracking and the Stateful Rule

Most firewalls are stateful: they track active connections so that reply packets from an established connection are automatically allowed without needing an explicit rule for every possible source. The kernel module ct (conntrack) tracks connection state.

**5** Netfilter Hooks

A single misconfigured firewall rule can lock you out of your server entirely. Before making changes to a remote machine, always have a fallback plan: a scheduled at job that resets your firewall rules in five minutes (which you cancel if the new rules work), a cloud provider console with emergency access, or physical access to the machine. The second most common self-inflicted server outage, after losing the SSH private key, is a bad firewall rule.

## What Comes Next

Firewall rules control whether packets reach your services, but they cannot see inside encrypted traffic — they operate on IP addresses and ports, not on content. To understand what TLS actually hides, what certificates prove, and what the padlock in your browser is really telling you, requires a different kind of analysis at the protocol level.

[The encryption those firewall rules protect — and what it actually can't hide.](https://slatesource.com/s/1035?utm_source=slatesource)

[nftables wiki](https://wiki.nftables.org/wiki-nftables/index.php/Main_Page?utm_source=slatesource)