How do iptables and nftables handle packet filtering rules?
Answer
iptables organizes rules into tables (filter, nat, mangle, raw) and chains (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING). Packets traverse chains top-to-bottom; the first matching rule's target (ACCEPT, DROP, REJECT, LOG, MASQUERADE) is applied. Rule ordering is critical — more specific rules must come before general ones. iptables -I INPUT 1 ... inserts at position 1 (top). The stateful matching module (-m conntrack --ctstate) replaces the older -m state module. nftables (introduced in kernel 3.13, default on modern distros) replaces all four iptables tools with one unified framework, using a cleaner grammar, atomic rule updates (no mid-update inconsistency), and better performance via a virtual machine in the kernel. Migrate with iptables-translate. Both ultimately configure netfilter hooks in the kernel.
Previous
What are Linux namespaces and cgroups, and how do they underpin containers?
Next
What is LVM (Logical Volume Manager) and what problems does it solve?
More Linux / Shell Scripting Questions
View all →- Advanced What are Linux namespaces and cgroups, and how do they underpin containers?
- Advanced What is LVM (Logical Volume Manager) and what problems does it solve?
- Advanced How does /etc/fstab work and what are important mount options?
- Advanced How do sysctl kernel parameters work and what are important tuning examples?
- Advanced How do you use perf and flame graphs for performance analysis on Linux?