1IPTABLES-TRANSLATE(8) System Manager's Manual IPTABLES-TRANSLATE(8)
2
6 iptables-translate — translation tool to migrate from iptables to nfta‐
7 bles
8 ip6tables-translate — translation tool to migrate from ip6tables to
10 nftables
11 ebtables-translate — translation tool to migrate from ebtables to nfta‐
13 bles
14
16 There is a set of tools to help the system administrator translate a
17 given ruleset from iptables(8), ip6tables(8) and ebtables(8) to nfta‐
18 bles(8).
19 The available commands are:
21 • iptables-translate
24 • iptables-restore-translate
26 • ip6tables-translate
28 • ip6tables-restore-translate
30 • ebtables-translate
32
35 They take as input the original iptables(8)/ip6tables(8)/ebtables(8)
36 syntax and output the native nftables(8) syntax.
37 The iptables-restore-translate tool reads a ruleset in the syntax pro‐
39 duced by iptables-save(8). Likewise, the ip6tables-restore-translate
40 tool reads one produced by ip6tables-save(8). No ruleset modifications
41 occur, these tools are text converters only.
42 The iptables-translate reads a command line as if it was entered to
44 iptables(8), and ip6tables-translate reads a command like as if it was
45 entered to ip6tables(8).
46
49 Basic operation examples.
50 Single command translation:
52 root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
54 nft add rule ip filter INPUT tcp dport 22 ct state new counter accept
55 root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
57 nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept
58 Whole ruleset translation:
60 root@machine:~# iptables-save > save.txt
62 root@machine:~# cat save.txt
63 # Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016
64 *filter
65 :INPUT ACCEPT [5166:1752111]
66 :FORWARD ACCEPT [0:0]
67 :OUTPUT ACCEPT [5058:628693]
68 -A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
69 COMMIT
70 # Completed on Sat Dec 24 14:26:40 2016
71 root@machine:~# iptables-restore-translate -f save.txt
73 # Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016
74 add table ip filter
75 add chain ip filter INPUT { type filter hook input priority 0; }
76 add chain ip filter FORWARD { type filter hook forward priority 0; }
77 add chain ip filter OUTPUT { type filter hook output priority 0; }
78 add rule ip filter FORWARD tcp dport 22 ct state new counter accept
79 root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft
81 root@machine:~# nft -f ruleset.nft
82 root@machine:~# nft list ruleset
83 table ip filter {
84 chain INPUT {
85 type filter hook input priority 0; policy accept;
86 }
87 chain FORWARD {
89 type filter hook forward priority 0; policy accept;
90 tcp dport ssh ct state new counter packets 0 bytes 0 accept
91 }
92 chain OUTPUT {
94 type filter hook output priority 0; policy accept;
95 }
96 }
97
101 Some (few) extensions may be not supported (or fully-supported) for
102 whatever reason (for example, they were considered obsolete, or we
103 didn't have the time to work on them).
104 There is no translation available for arptables(8).
106 To get up-to-date information about this, please head to
108 https://wiki.nftables.org/.
109
112 nft(8), iptables(8)
113
116 The nftables framework is written by the Netfilter project
117 (https://www.netfilter.org).
118 This manual page was written by Arturo Borrero Gonzalez <arturo@netfil‐
120 ter.org>.
121 This documentation is free/libre under the terms of the GPLv2+.
123 May 14, 2019 IPTABLES-TRANSLATE(8)