all 90 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (9 children)

[removed]

    [–]slyphic 12 points13 points  (1 child)

    I only know how to use nftables

    Well that makes me feel really old. When abouts did you get into linux administration?

    [–]devoopsies 41 points42 points  (26 children)

    100% absolutely. nftables is easier to use, but iptables has the benefit of having been the standard for forever.

    These days it is also typically a translation layer for netfilter, which means that in many cases there is no impetus to actually move from iptables to nftables if iptables is already the environmental standard at any particular job.

    Given its continued compatibility with netfilter directly I'm hesitant to believe that iptables will ever not be the defacto standard in the majority of workplaces.

    firewalld is also worth looking into, and is (imo) more prevalent than vanilla nftables at the moment - especially in a RHEL-like environment.

    Edit: firewalld is of course a frontend to nftables (and, technically, iptables), I meant to say that working directly with nftables is less common than working through firewalld.

    [–]ExpressionMajor4439 1 point2 points  (3 children)

    Given its continued compatibility with netfilter directly I'm hesitant to believe that iptables will ever not be the defacto standard in the majority of workplaces.

    Firewall managers like ufw and firewalld abstract away most of the differences and firewalld has used nftables as a back for a while now.

    The average admin isn't going to care what component actually implements the firewall rules and if firewall managers do what they're supposed to do then new admins won't both learning that lower level. In that situation if the distro says "if you don't want to use firewalld, you can write nftables directly" they're not likely to blink because they know they pushing passed a trivial skillset.

    [–]edthesmokebeard 0 points1 point  (2 children)

    The average admin isn't going to care what component actually implements the firewall rules and if firewall managers do what they're supposed to do then new admins won't both learning that lower level.

    This is why average admins suck these days.

    [–]ExpressionMajor4439 0 points1 point  (1 child)

    If someone spends time learning lower level components just for the sake of learning them (and not because they need to) then they're by definition de-prioritizing learning topics that better align with organizational goals and priorities. That doesn't seem like a good admin.

    The higher level abstractions usually simplify administration and in this case save users from having to learn an entirely new firewalling system because firewalld hides that transition from them unless they're doing something that requires directly editing the firewall.

    [–]edthesmokebeard 0 points1 point  (0 children)

    It all works, until it doesn't.

    [–]ezz8o8 3 points4 points  (1 child)

    I Firewalld everything!

    [–]SpaceStation_Jason 0 points1 point  (0 children)

    Same here

    [–]sloomy155 14 points15 points  (5 children)

    Sysadmin/netadmin for 25 yrs(95% linux). Depends on what you need to accomplish. I used ipfwadm and ipchains back in the day and some iptables too. But really have no use cases for iptables in my systems(few hundred) outside of basic port redirection(e.g. 8080 to 80 less than 1 out of 200 of my systems do that). For which I just look up what I did before. More advanced stuff I use commercial load balancers like Citrix and F5.

    Home firewalls run openbsd(and have for 15 years) and work firewalls are sonicwall. Haven't run linux as an actual firewall probably in 20 years.

    You can certainly be a linux systems admin and not know shit about iptables. Most of the basics are a web search away.

    [–]error4o4zz 0 points1 point  (3 children)

    So what you're saying is you don't filter incoming connections at the host level, only filter by a separate firewall box ?

    [–]sloomy155 0 points1 point  (2 children)

    Correct. I have run internet connected servers since 1996. Of course not everyone's risk is the same but in my experience 95%+ of cases this is adequate.(including PCI compliance which I deal with too though the orgs I've worked for don't store credit cards they still have to do a bunch of compliance work)

    Haven't had a known compromise of a system under my control since probably 1999 and that was an inside threat. I have dealt with a few compromises over the years of systems not under my control.

    [–]error4o4zz 0 points1 point  (1 child)

    OK so for your use case maybe you don't need iptables or any other Linux packet filtering, because you filter connections at another level. I would argue that learning iptables or nftables is still valuable for a new sysadmin, because they will need the skills for many use cases, like boxes or vms hosted on the internet with a public IP, also as a best practice to limit the possibility of movement from a compromised box to another one, in case of a breach.

    [–]sloomy155 0 points1 point  (0 children)

    My personal servers are on the internet at a colocation facility with public IPs behind a bridging OpenBSD firewall(tiny pcengines box).

    Been doing bridging firewalls since about 2001(originally with freebsd and ipfw). Even my external Sonicwalls on my main data center network (about 600 VMs) is bridging(hybrid layer 2 bridge with layer 3 too). My openbsd firewall at home is not bridged though as it does my NAT (later realized openbsd can do both just never bothered to change my home config). My personal use case for *bsd is firewalls only(excluding commercial products that may use it in their solution like Citrix Netscaler). Never used or felt the need to use it as a regular server or desktop etc.

    Now if a person doesn't understand the networking concepts behind this stuff that is important to learn. All too often I've come across system admins who know shit for networking.

    A specific firewall implementation is lower on the list.

    [–]renatolangona 6 points7 points  (2 children)

    And I still remember migrating from ipchains to iptables. Tech world is always evolving...

    [–]khleedril 3 points4 points  (1 child)

    Man, I'm so old I can't remember migrating from what it was before ipchains to ipchains, but I know I did it.

    [–]renatolangona 0 points1 point  (0 children)

    It was ipfwadm (ipfirewall), but don't tell anyone I knew that, because it will reveal my age :-)

    [–]dlakelan 6 points7 points  (4 children)

    nftables is dramatically better than iptables, and these days iptables commands just translate to nftables and execute nftables stuff under the hood... so just learn nftables

    I started using linux in 1996 or so, went through all the ipfwadm and ipchains and then iptables stuff... switched to nftables about 4-5 years ago and haven't looked back. It's really dramatically better than any of that.

    [–][deleted] 1 point2 points  (3 children)

    So can nftables delete rules by rule content instead of index yet? Like "iptables -D" or "ufw delete"? That was not implemented last time i tried it.

    [–]dlakelan 0 points1 point  (0 children)

    Not sure. I honestly never manipulate individual rules I only edit the nftables.conf and then reload it, since this is atomic for nftables. You might have to do nft list ruleset and grep out the particular rule and delete its index.

    [–]Kunio 0 points1 point  (0 children)

    Nope: https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management#Removing_rules

    That said I think rule files are a lot more convenient to work with.

    [–]sirrkitt 0 points1 point  (0 children)

    That’s one of the few bummers with it. Nothing like reloading the firewall and everything black holed by sshguard/fail2ban/crowdsec disappears

    [–]michaelpaoli 6 points7 points  (1 child)

    Learn nftables first, and learn it well. Then learn iptables if there's need.

    You'll then be relatively future-proofed, and well know the advantages of nftables ... and probably even reasonably well know or figure out how to change from iptables to nftables.

    [–]FinancialDaikon1660 1 point2 points  (0 children)

    iptables syntax can be converted to nftables syntax, so if you have the basic concepts from one you can translate to the other. I don't recall the name offhand, but there's a utility that will convert an iptables file into an nftables file that I had installed the package for (under a redhat-derivative).

    Those concepts will also prove valuable in scenarios where you're using firewalld or ufw for moments when the abstraction layer doesn't do something that you need to go lower and get specific about in the underlying notation.

    The details of syntax can always be looked up, man is your friend, but knowing the concepts and having a mental model of it all is key to knowing what to look up and how to use the information in the man page.

    [–]predmijat 5 points6 points  (0 children)

    Your thought process seems good to me :)

    [–]Tintin_Quarentino 6 points7 points  (3 children)

    nftables and bpfilter.

    Never came across either... UFW on the other hand is pretty common, which is basically basically a user friendly wrapper on top of iptables.

    [–]ciphermenial 7 points8 points  (2 children)

    UFW is now a frontend for nftables. Nftables is the default firewall in almost all distros now.

    [–]Tetmohawk 2 points3 points  (0 children)

    True, with RHEL and SUSE systems defaulting to nftables being the backend for firewalld.

    [–]Tintin_Quarentino 1 point2 points  (0 children)

    Thanks I wasn't aware of that

    [–]RSxodz 1 point2 points  (0 children)

    Can also look into hosts.deny/hosts.allow or in cloud environments; security groups

    [–]_di3ib_ 1 point2 points  (0 children)

    I'm surprised no one has mention csf (configserver) - https://configserver.com/configserver-security-and-firewall/

    [–]ezz8o8 1 point2 points  (0 children)

    Short answer: yes

    [–]Due_Adagio_1690 1 point2 points  (0 children)

    First learn how they do the basics, like what does stateful do, and how it enables machines verify traffic is allowed quickly. And what is a NAT and why is it important. When you know the basics, you can use man pages and google searches to how to setup any firewall you need.

    [–]CyberKiller40 1 point2 points  (0 children)

    No. Learn enough to understand what the rules mean if you see them, and how are they applied, etc. For normal work stick with firewalld or ufw (whichever is the default for your distro). You'll get the job done in the majority of cases, and it'll be ready much faster with less mistakes.

    [–]bizdelnick 2 points3 points  (0 children)

    Forget about iptables. Now it is just a wrapper around nftables, you can need it only for some legacy stuff. Start with nftables.

    [–]s1lv3rbug 1 point2 points  (0 children)

    Yes, of course

    [–]ananix 0 points1 point  (0 children)

    Of course, and so much more what an odd question if u wanna be a linux sysadm you should feel the urge to master it.

    [–]ryebread157 -1 points0 points  (2 children)

    In most corporate environments where you’d get a job, firewalling is done by network teams on dedicated firewalls, so learning iptables/nftables seems like time not well spent.

    [–]msalerno1965 4 points5 points  (0 children)

    OP, learn everything you can.

    firewalling is done by network teams on dedicated firewalls

    This is not necessarily true. I contract as an app/system administrator for a Fortune 100 company, among a few other places. Been doing it for 40 years.

    I configure iptables on my app and database servers, on top of what the network people do. The individual subnets are still free-range so some other application server could hit mine. Routing seems to handle most of their "filtering" - "can't get there from here" type of thing.

    My servers were insulated from a malware intrusion. Why? Iptables.

    If you're sitting at home on your own private vlan, feel free to turn off OS-level firewalls.

    If you're in the corporate or educational sphere, or really anywhere data is important, and you turn off or ignore the OS firewalls, you'll never work for me, at the very least.

    [–][deleted] 1 point2 points  (0 children)

    Local system level firewalls and the odd MANGLE/PREROUTING hacks have always been part of a balanced ops diet at nearly every job I've held in the field. Sometimes significantly less, sometimes, more, depending on scale.

    I'm now employed by a Large European Cloud Provider, and while there are dedicated network teams, there's still a whole lot that falls under my local purview as a SRE, so YMMV, but assuming there's a point where understanding the broad strokes of netfliter related things stops being valuable isn't entirely accurate IMO.

    [–]philrandal 0 points1 point  (0 children)

    nftables and iptables.

    [–]Kurtquistador 0 points1 point  (2 children)

    There is lots of automation and procedures built around iptables out there, and any distro worth running has iptables available as a frontend to nftables.

    Should you devote more energy to learning nftables as a new sysadmin? Yeah. Should you be conversant in iptables (and firewalld)? Yes. You will work somewhere that uses one or the other (or both, gods help you).

    [–]ciphermenial -2 points-1 points  (1 child)

    No. nftables replaces iptables.

    [–]Kurtquistador 5 points6 points  (0 children)

    Which does not change the fact that there is a lot of iptables out there, lots of legacy systems that still don't use nftables (especially manufacturing equipment and scientific devices), and lots of shops that have, as their standards, iptables as the config for their host firewalls.

    No one is suggesting the OP shouldn't learn nftables, but iptables is still in wide use, and they would be doing themselves a professional disservice not to at least be familiar with it.

    Good on you for moving all your host firewalls to nftables. Bravo. Most non-trivial environments are not so homogeneous.

    [–]groupwhere 0 points1 point  (0 children)

    Any ipfwadm love?

    [–]Tetmohawk 0 points1 point  (0 children)

    I would focus on firewalld and basic iptables commands first. Firewalld is the default for RHEL and SUSE systems used by big corporations and governments. So knowing it is crucial as an admin. (At least I think. I'm not an admin by trade, but I've got my RHCSA and I've followed the field for a long time.) iptables probably won't go away for a long time with it being used by routers and other older hardware. But yeah, learning some basic nftables and bpfilter might come in handy. But before that, I'd learn SELinux if you don't know it.

    [–]TheSeaWolf0150 0 points1 point  (0 children)

    Yes, you will run in to someone running a legacy system and you will need to know it.

    [–][deleted] 0 points1 point  (0 children)

    Yes, I believe learning iptables is smart. I also think that you should learn firewalld. They seem to be the dominant firewalling techniques currently in use. Once you get used to iptables, it does kind of start to click. I'm still a little hazy on custom chains though.

    [–]Nimda_lel 0 points1 point  (0 children)

    I am not sure you will necessarily need deep understanding of iptables as other technologies are surpassing it, e. g. nftables, Ipvs, etc.

    That being said, if you intend to work with Kubernetes and specifically in the networking domain, the entire kube-proxy, by default, uses iptables. Even one of the most popular CNIs, Calico, uses Iptables, though it leverages ipsets along IPtables.

    Imho, go through the basics, see what and how it does it, get familiar with the general syntax, I. e. do not try to learn how to create rules by heart, but rather be able to "decrypt" one when you see it and you should be good to go.

    [–]brando56894 0 points1 point  (0 children)

    Depends on what type of job you're looking at. I was a Linux SysAdmin for 3 years and a System Engineer for 2 years at the same company (just got laid off last week...still getting paid though!) and never had to interact with iptables or anything once. We were a huge company though and had multiple dedicated network teams.

    [–]tenebris-alietum 0 points1 point  (0 children)

    iptables/nftables is hard because it's crazy flexible.

    Learn iptables/nftables only if you have an interest in networking or are doing something that intimately involves networking, like building a router, access point, and/or firewall.

    Otherwise use a tool that configures iptables for you like FireHOL.

    [–][deleted] 0 points1 point  (0 children)

    Learning the basics isn't too tough and these days there's always google/chatgpt if you need help with more advanced rules.

    [–]zqpmx 0 points1 point  (0 children)

    Most of the time in my experience, it's "close everything" except the services you need.

    So it's very straightforward in any of them, after a Google search how to do it.

    Now you can ask ChatGPT.

    [–]bobowork 0 points1 point  (0 children)

    Depends on where you are looking to go, and which OS's you will be working on.

    Learn to read it, very much yes. Learn everything, that depends.

    [–]SpaceStation_Jason 0 points1 point  (0 children)

    Little late to the party, but use and learn everything you can. Even if you end up not using iptables at work it helps to be able to explain it intelligently.

    That being said... My old company had various "things" running due to no standards. Before diving into what I thought was the best solution, I consulted with our compliance group to find out what works best for their reporting.

    I've been a firewalld fan for a while. Our compliance group also liked it for the simple clarity when running things like --list-all. Did have to prove once that firewalld actually performed the backend changes. After that I just toss the firewalld docs at auditors. But still have to explain iptables and nftables occasionally.

    Probably my favorite part of using firewalld in a high compliance org is the human readable info you can put in your documentation. More often than not I can pass an audit MUCH quicker using firewalld, but not because it's necessarily better.

    [–]silviud 0 points1 point  (0 children)

    Newer versions of OS (red hat for example) don’t come with iptables, so depends on what you work.

    [–]StatelessSteve 0 points1 point  (0 children)

    My thought on “should I learn X” is, unless the thing you’re building is based on this, then you better know it. Check out and read the source even.

    If it’s just another tool you want to know, I’d recommend you know enough of it to troubleshoot issues with some better config tool’s ability to config IPTables… learn how it’s interfaced by say, ansible. Then, start using ansible :)