← Back to Blog
server

nftables vs iptables: Which Firewall Should You Use in 2026?

Technical comparison of nftables and iptables for Linux server firewalls. Performance, syntax, IPv6, and why modern servers should use nftables.

The Linux kernel's packet filtering framework is undergoing its most significant transition in two decades. iptables, the tool that has managed Linux firewalls since 2001, is being replaced by nftables — a modern framework that offers better performance, cleaner syntax, and unified IPv4/IPv6 handling. For server administrators, the question is no longer whether to switch, but how. Understanding the technical differences between nftables and iptables is essential for making informed security decisions in 2026.

This article provides a detailed technical comparison of both frameworks, covers the migration path, and explains how VistoShield Server Edition handles the transition seamlessly by supporting both backends.

Historical Context

The iptables Era (2001-2021)

iptables was introduced in Linux kernel 2.4 as the successor to ipchains. It provided a userspace tool to configure the Netfilter framework in the kernel, organizing packet filtering rules into tables (filter, nat, mangle, raw) and chains (INPUT, OUTPUT, FORWARD, and custom chains). For over two decades, iptables was the universal Linux firewall interface.

The iptables ecosystem includes several related tools: iptables for IPv4, ip6tables for IPv6, arptables for ARP, and ebtables for Ethernet bridging. Each tool uses a different syntax and configuration, creating unnecessary complexity for administrators managing modern dual-stack networks.

The nftables Era (2014-present)

nftables was introduced in Linux kernel 3.13 (January 2014) as the successor to iptables. It replaces the four separate iptables tools with a single nft command that handles IPv4, IPv6, ARP, and bridging through a unified syntax. After years of maturation, nftables became the default firewall framework in major distributions starting around 2019-2021.

Distribution Default Status

Distribution Default Framework iptables Status
Debian 10 (Buster) nftables Available via iptables-nft
Debian 11+ (Bullseye+) nftables Compatibility layer only
Ubuntu 22.04+ nftables (via iptables-nft) iptables-nft translates to nftables
RHEL/CentOS 8+ nftables iptables-nft compatibility
AlmaLinux 9 nftables iptables-nft compatibility
Rocky Linux 9 nftables iptables-nft compatibility
Fedora 32+ nftables Deprecated
openSUSE Leap 15.4+ nftables iptables-nft compatibility

Every major server distribution now defaults to nftables. The iptables-nft compatibility layer translates iptables commands to nftables kernel structures, but this translation has limitations and adds overhead. Running native nftables is always preferable on these systems.

Syntax Comparison

iptables Syntax

iptables uses a command-line-centric approach where each rule is added individually through a separate command invocation:

# Allow SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Block a specific IP
iptables -A INPUT -s 192.0.2.100 -j DROP

# Rate limit connections to port 80
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# Same rules for IPv6 require separate ip6tables commands
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

nftables Syntax

nftables uses a structured, declarative syntax that can be written as a complete ruleset file:

#!/usr/sbin/nft -f

table inet filter {
    set blocklist {
        type ipv4_addr
        flags interval
        elements = { 192.0.2.100, 198.51.100.0/24 }
    }

    chain input {
        type filter hook input priority 0; policy drop;

        # Allow established connections
        ct state established,related accept

        # Allow loopback
        iif lo accept

        # Drop blocked IPs (O(1) lookup regardless of set size)
        ip saddr @blocklist drop

        # Allow SSH
        tcp dport 22 accept

        # Rate limit HTTP
        tcp dport 80 limit rate 25/minute burst 100 packets accept
    }
}

Key syntax differences are immediately apparent. nftables uses the inet family to handle both IPv4 and IPv6 in a single ruleset. Rules are structured within named tables and chains rather than issued as sequential commands. The syntax is more readable and self-documenting.

Technical Differences

1. Unified IPv4/IPv6 Handling

With iptables, managing a dual-stack server requires maintaining two parallel rulesets with two separate tools. Discrepancies between IPv4 and IPv6 rules are common and create security gaps — a service blocked on IPv4 but accidentally left open on IPv6, or vice versa.

nftables solves this with the inet address family. A single ruleset applies to both IPv4 and IPv6 traffic. When you need protocol-specific rules, you can still distinguish with ip saddr for IPv4 or ip6 saddr for IPv6, but the majority of rules (port access, connection tracking, rate limiting) apply uniformly to both protocols.

2. Sets and Maps

This is arguably the most impactful technical improvement. iptables evaluates rules sequentially — a chain of 10,000 rules means up to 10,000 comparisons per packet. nftables introduces sets, which are hash-based or interval-tree data structures evaluated in O(1) or O(log n) time regardless of the number of entries.

# nftables set with 100,000 blocked IPs — O(1) lookup
set blocklist {
    type ipv4_addr
    flags interval
    # ... 100,000 entries
}

# Single rule references the set
ip saddr @blocklist drop

Compare this to iptables, where blocking 100,000 IPs requires either 100,000 individual rules (evaluated sequentially) or using ipset as an external add-on. nftables sets are a native, first-class feature requiring no external tools.

Maps extend sets by associating a key with an action or value:

# Map ports to rate limits
map port_limits {
    type inet_service : limit
    elements = {
        22 : "rate 5/minute",
        80 : "rate 100/second",
        443 : "rate 100/second"
    }
}

3. Atomic Rule Replacement

iptables applies rules one at a time. When reloading a firewall configuration (flushing all rules and re-adding them), there is a brief window where no rules are active. During this window, all traffic is processed according to the default chain policy. If the default policy is ACCEPT (which it is by default), all traffic is allowed during the reload.

nftables supports atomic rule replacement. The entire ruleset is loaded into the kernel as a single transaction. There is no window of vulnerability during reload — the old ruleset is replaced by the new one instantaneously from the perspective of packet processing.

# Atomic reload — no vulnerability window
nft -f /etc/nftables.conf

4. Performance

nftables provides measurable performance improvements over iptables, particularly in these scenarios:

Scenario iptables nftables
Large blocklist (50K IPs) 50,000 rule comparisons per packet Single set lookup (O(1))
Rule reload Sequential add/delete, vulnerability window Atomic transaction, no window
Dual-stack (IPv4+IPv6) Two separate rule evaluations Single unified evaluation
Complex matching Multiple match modules loaded per rule Single expression evaluation engine
Connection tracking conntrack module Native ct expression, same performance

On a busy server processing thousands of packets per second with a large blocklist, the performance difference is substantial. The nftables set-based approach maintains consistent performance regardless of blocklist size, while iptables degrades linearly.

5. Concatenated Matches

nftables supports matching on multiple fields simultaneously with a single lookup:

# Match on source IP AND destination port in one operation
set restricted_access {
    type ipv4_addr . inet_service
    elements = {
        10.0.0.1 . 22,
        10.0.0.2 . 3306,
        10.0.0.3 . 5432
    }
}

ip saddr . tcp dport @restricted_access accept

In iptables, this would require either multiple rules or complex mark-based workarounds. nftables concatenated matches are evaluated as a single set lookup, maintaining O(1) performance.

6. Verdict Maps

nftables verdict maps allow different actions for different matches in a single rule, replacing multiple iptables rules with a single lookup:

# Different actions per source network
map network_policy {
    type ipv4_addr : verdict
    flags interval
    elements = {
        10.0.1.0/24 : accept,    # Office network
        10.0.2.0/24 : accept,    # VPN clients
        192.168.0.0/16 : drop,   # Private ranges (should not appear)
    }
}

The iptables-nft Compatibility Layer

Most modern distributions include iptables-nft, which provides the familiar iptables command but translates rules to nftables kernel structures internally. This allows legacy tools (like CSF) to function on nftables-based systems.

However, the compatibility layer has significant limitations:

  • Cannot use nftables-specific features (sets, maps, concatenated matches)
  • Translation overhead for every rule operation
  • Potential conflicts if nftables rules are also managed directly
  • Some complex iptables constructs do not translate cleanly
  • Debugging becomes harder — you must understand both syntaxes to troubleshoot

The compatibility layer is a migration convenience, not a long-term solution. Tools should be updated to use native nftables.

Migration Considerations

When to Stay with iptables

There are limited scenarios where iptables remains appropriate:

  • Legacy systems running kernels older than 3.13 (extremely rare in 2026)
  • Docker environments where Docker manages iptables rules directly (Docker's nftables support is still maturing)
  • Specialized appliances with vendor-mandated iptables configurations

When to Use nftables

For virtually all server deployments in 2026, nftables is the correct choice:

  • New server installations should use native nftables from day one
  • Servers with large blocklists benefit immediately from set-based O(1) lookups
  • Dual-stack IPv4/IPv6 environments gain unified rule management
  • High-traffic servers see measurable performance improvements
  • Environments requiring atomic rule updates for zero-downtime changes

How VistoShield Handles the Transition

VistoShield Server Edition was designed to support both firewall backends transparently. During installation, it detects the available backend and configures itself accordingly:

Backend Detection

# VistoShield detects the backend automatically
vistoshield config --show backend
# Output: "nftables" or "iptables"

On systems with nftables available, VistoShield uses it natively. On older systems with only iptables, it uses iptables directly. The security policy you configure is identical regardless of the backend — the same rules, the same blocklists, the same behavior.

Leveraging nftables Features

When running on nftables, VistoShield takes full advantage of the framework's capabilities:

  • IP blocklists as nftables sets: Thousands of blocked IPs are stored in a set for O(1) lookups, keeping firewall performance constant regardless of blocklist size.
  • Atomic updates: When rules change (new block, updated policy), the ruleset is applied atomically with no vulnerability window.
  • Unified IPv4/IPv6: All rules apply to both protocols through the inet family, eliminating the risk of IPv6 configuration gaps.
  • Concatenated matches: Complex policies (e.g., allow specific IPs to specific ports) use concatenated set matches for efficient evaluation.

Why This Matters for CSF Users

Administrators migrating from CSF should understand that CSF will never support native nftables. CSF generates raw iptables commands and has no nftables code path. On modern distributions, CSF forces the use of the compatibility layer, sacrificing the performance and feature benefits that nftables provides. Our detailed CSF comparison covers the full scope of differences.

Practical nftables Examples

Basic Server Ruleset

#!/usr/sbin/nft -f
flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # Connection tracking
        ct state established,related accept
        ct state invalid drop

        # Loopback
        iif lo accept

        # ICMP/ICMPv6 (essential for IPv6 operation)
        ip protocol icmp accept
        ip6 nexthdr icmpv6 accept

        # SSH
        tcp dport 22 accept

        # HTTP/HTTPS
        tcp dport { 80, 443 } accept

        # DirectAdmin
        tcp dport 2222 accept

        # Mail services
        tcp dport { 25, 465, 587, 110, 995, 143, 993 } accept

        # DNS
        tcp dport 53 accept
        udp dport 53 accept
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

Blocklist with Automatic Expiration

set temp_blocklist {
    type ipv4_addr
    flags timeout
    timeout 24h
}

# Add IP with automatic expiration
# nft add element inet filter temp_blocklist { 192.0.2.100 timeout 1h }

nftables sets with the timeout flag automatically remove entries after their specified duration, eliminating the need for external cleanup scripts that iptables-based solutions require.

Rate Limiting per Service

chain input {
    # SSH: max 5 new connections per minute per IP
    tcp dport 22 ct state new limit rate over 5/minute drop

    # HTTP: max 100 new connections per second per IP
    tcp dport 80 ct state new limit rate over 100/second drop
}

Key Takeaways

nftables is the present and future of Linux packet filtering. Every major distribution defaults to it, it outperforms iptables in every measurable dimension, and it provides features (sets, maps, atomic updates) that have no iptables equivalent. The question is not whether to migrate, but when.

  • nftables is the default on all major Linux distributions in 2026. The iptables compatibility layer is a convenience, not a strategy.
  • Performance: nftables sets provide O(1) blocklist lookups versus O(n) chain traversal in iptables.
  • Unified IPv4/IPv6: A single ruleset handles both protocols, eliminating configuration gaps.
  • Atomic updates: No vulnerability window during rule changes.
  • Modern syntax: Structured, declarative rulesets that are easier to read, write, and audit.
  • VistoShield supports both: VistoShield Server Edition detects and uses the best available backend, leveraging nftables features when available while supporting iptables on legacy systems.
  • CSF cannot use nftables: If you are running CSF on a modern distribution, you are using the compatibility layer and missing nftables benefits. Consider migrating to VistoShield — see our DirectAdmin migration guide.

For more on choosing the right firewall solution for your server, read our comparison of Linux server firewall alternatives or visit the VistoShield documentation for installation and configuration details.

Ready to try VistoShield?

Free and open source. Get started in 60 seconds.

Get Started Free

Related Articles

comparison

VistoShield vs iThemes Security: Detailed Comparison (2026)

 comparison

VistoShield vs CSF: Complete Comparison Guide (2026)

 guide

Webmin Server Security: Complete Module Setup Guide