Hi all,
This is going to be one another post about the iptables-translate utility. This post is going to cover the importance of this tool and how it can be used to translate different kinds of targets and matches of iptables with examples.
The first translation that I provided was for the match “mark”. For those unfamiliar with iptables, you use this module to match the netfilter mark field associated with a packet.
In iptables, one writes a rule corresponding to this as simply as
# iptables -A FORWARD -m mark --mark 22 -j ACCEPT
However, in nftables, this rule turns out to be even simpler.
# nft add rule ip filter FORWARD mark 0x16 accept
Note that if a table is not specified in the beginning of any rule, the default table is taken to be ‘filter’ in case of iptables. However it is necessary to mention the type (ip, ip6, etc) and the table name in case of nftables.
See how the translation has taken place:
| iptables | nft |
| -A | add rule |
| FORWARD | ip filter FORWARD |
| -m mark –mark 22 | mark 0x16 |
| ACCEPT | accept |
Quite simple, right?
Now, see the iptables rule for routing realm. This module matches any given realm number. It is used in complex routing setups involving dynamic routing protocols like BGP.
# iptables -A PREROUTING -m realm --realm 4
Going by the aforementioned procedure, we can easily come up with nftables rule as
# nft add rule ip filter PREROUTING realm 0x4
Easiest stuff ever!
But wait. What is this weird message on my terminal?
Seems like things aren’t piece of cake. What do we do now? We have no information about routing realm.
People, hold your breaths. Here comes the savior…
iptables-translate
This utility will always come for rescue , I bet.*
*T&C: provided I have completed the translation corresponding to that module
So, now that we have our hero, all we have to do is
$ sudo iptables-translate -A PREROUTING -m realm --realm 4
and then we have on the terminal,
nft add rule ip filter PREROUTING rtclassid 0x4 counter
Try adding this rule to your chain. Congrats! No weird looking errors this time.
[iptables-translate: Oh, come on. There’s no need for claps. No. Seriously.]
So, this is why you are going to need this utility. There is a lot of change in the syntax which is actually better and more understandable but you need to know the exact keywords.
This tool is pretty good and very very easy to use. Try it out and report the bugs if you come across any.
Thanks for reading.
A couch potato's promenade 
Hey
I’m wondering how nft would deal with virtual interfaces, such as the tun (tunnel) that is created with openVPN connections, or ppp that is created with PPTP vpn.
I find a lot of info about openvpn on a server — however — I’m a workstation. Currently I need to turn off nftables to connect to vpn.
LikeLike
Would love to try the tools out… if only I could find it!
LikeLike
Hi Shivani, I’ve been sieving through the iptables source code, but I cannot seem to build and/or find “iptables-translate” tool neither on iptables or nftables (searching around, my guess is in iptables/xtables area). Where and/or how can I get this tool (just a brief hint will do such as “make iptables with libXXX”, etc).
LikeLike
Hello!
iptables has not had a new release since iptables-translate was included, you can clone the git repository (git clone git://git.netfilter.org/iptables) and build from there to use iptables-translate as of now.
LikeLike
Thanks for the reply, though I’ve git-cloned from netfilter.org before I’ve posted/inquired here. I’ve simply did ‘$find . -executable -name “*trans*”‘ (also “ip*”) in hopes to find the executable but to no avail. Compiled it on both Gentoo and Debian (Jessie). Tried different options on configure such as “–enable-devel” as well.
Here’s a sample output snippets of configure (on Gentoo):
[code]
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support: yes
IPQ support: no
Large file support: yes
BPF utils support: no
nfsynproxy util support: no
nftables support: yes
connlabel support: no
Build parameters:
Put plugins into executable (static): no
Support plugins via dlopen (shared): yes
Installation prefix (--prefix): /usr/local
Xtables extension directory: /usr/local/lib/xtables
Pkg-config directory: /usr/local/lib/pkgconfig
Host: x86_64-pc-linux-gnu
GCC binary: gcc
[code]
As you can see, I do have nftables support
LikeLiked by 1 person
It turns out iptables-translate is a soft-link (ln -s) of “xtables-compat-multi” (similar to iptables{-save,-restore} are soft links to xtables-multi). Thanks!!
LikeLike
Can iptables-translate translate several lines of iptables statements into one nftables statement?
LikeLike
Also, I used the iptables-translate-restore -f /etc/iptables.up.rules which had statements like
-A INPUT -m set –match-set level3 src -j DROP
and these just got uncommented like this:
# -t filter -A INPUT -m set –match-set level3 src -j DROP
Do you know if the translation of a statement like that will be translatable soon?
LikeLike
Hi,
I’m using centos 7 and i am getting iptables-translate: command not found
LikeLike