.\"

.\" (C) Copyright 2018, Arturo Borrero Gonzalez <arturo@netfilter.org>

.\"

.\" %%%LICENSE_START(GPLv2+_DOC_FULL)

.\" This is free documentation; you can redistribute it and/or

.\" modify it under the terms of the GNU General Public License as

.\" published by the Free Software Foundation; either version 2 of

.\" the License, or (at your option) any later version.

.\"

.\" The GNU General Public License's references to "object code"

.\" and "executables" are to be interpreted as the output of any

.\" document formatting or typesetting system, including

.\" intermediate and printed output.

.\"

.\" This manual is distributed in the hope that it will be useful,

.\" but WITHOUT ANY WARRANTY; without even the implied warranty of

.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

.\" GNU General Public License for more details.

.\"

.\" You should have received a copy of the GNU General Public

.\" License along with this manual; if not, see

.\" <http://www.gnu.org/licenses/>.

.\" %%%LICENSE_END

.\"

.TH IPTABLES-TRANSLATE 8 "May 14, 2019"

.SH NAME

iptables-translate \(em translation tool to migrate from iptables to nftables

.P

ip6tables-translate \(em translation tool to migrate from ip6tables to nftables

.SH DESCRIPTION

There is a set of tools to help the system administrator translate a given

ruleset from \fBiptables(8)\fP and \fBip6tables(8)\fP to \fBnftables(8)\fP.

The available commands are:

.IP \[bu] 2

iptables-translate

.IP \[bu]

iptables-restore-translate

.IP \[bu] 2

ip6tables-translate

.IP \[bu]

ip6tables-restore-translate

.SH USAGE

They take as input the original \fBiptables(8)\fP/\fBip6tables(8)\fP syntax and

output the native \fBnftables(8)\fP syntax.

The \fBiptables-restore-translate\fP tool reads a ruleset in the syntax

produced by \fBiptables-save(8)\fP. Likewise, the

\fBip6tables-restore-translate\fP tool reads one produced by

\fBip6tables-save(8)\fP.  No ruleset modifications occur, these tools are

text converters only.

The \fBiptables-translate\fP reads a command line as if it was entered to

\fBiptables(8)\fP, and \fBip6tables-translate\fP reads a command like as if it

was entered to \fBip6tables(8)\fP.

.SH EXAMPLES

Basic operation examples.

Single command translation:

.nf

root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

nft add rule ip filter INPUT tcp dport 22 ct state new counter accept

root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT

nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept

.fi

Whole ruleset translation:

.nf

root@machine:~# iptables-save > save.txt

root@machine:~# cat save.txt

# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016

*filter

:INPUT ACCEPT [5166:1752111]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [5058:628693]

-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

COMMIT

# Completed on Sat Dec 24 14:26:40 2016

root@machine:~# iptables-restore-translate -f save.txt

# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016

add table ip filter

add chain ip filter INPUT { type filter hook input priority 0; }

add chain ip filter FORWARD { type filter hook forward priority 0; }

add chain ip filter OUTPUT { type filter hook output priority 0; }

add rule ip filter FORWARD tcp dport 22 ct state new counter accept

root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft

root@machine:~# nft -f ruleset.nft

root@machine:~# nft list ruleset

table ip filter {

	chain INPUT {

		type filter hook input priority 0; policy accept;

	}

	chain FORWARD {

		type filter hook forward priority 0; policy accept;

		tcp dport ssh ct state new counter packets 0 bytes 0 accept

	}

	chain OUTPUT {

		type filter hook output priority 0; policy accept;

	}

}

.fi

.SH LIMITATIONS

Some (few) extensions may be not supported (or fully-supported) for whatever

reason (for example, they were considered obsolete, or we didn't have the time

to work on them).

There are no translations available for \fBebtables(8)\fP and

\fBarptables(8)\fP.

To get up-to-date information about this, please head to

\fBhttps://wiki.nftables.org/\fP.

.SH SEE ALSO

\fBnft(8)\fP, \fBiptables(8)\fP

.SH AUTHORS

The nftables framework is written by the Netfilter project

(https://www.netfilter.org).

This manual page was written by Arturo Borrero Gonzalez

<arturo@netfilter.org>.

This documentation is free/libre under the terms of the GPLv2+.