man7.org > Linux > man-pages

Linux/UNIX system programming training

xtables-translate(8) — Linux manual page

NAME | DESCRIPTION | USAGE | EXAMPLES | LIMITATIONS | SEE ALSO | AUTHORS | COLOPHON 

IPTABLES-TRANSLATE(8)    System Manager's Manual    IPTABLES-TRANSLATE(8)

NAME         top

       iptables-translate — translation tool to migrate from iptables to
       nftables

       ip6tables-translate — translation tool to migrate from ip6tables
       to nftables

       ebtables-translate — translation tool to migrate from ebtables to
       nftables

       arptables-translate — translation tool to migrate from arptables
       to nftables

DESCRIPTION         top

       There is a set of tools to help the system administrator translate
       a given ruleset from iptables(8), ip6tables(8), ebtables(8) and
       arptables(8) to nftables(8).

       The available commands are:

       • iptables-translate

       • iptables-restore-translate

       • ip6tables-translate

       • ip6tables-restore-translate

       • ebtables-translate

       • arptables-translate

USAGE         top

       They take as input the original
       iptables(8)/ip6tables(8)/ebtables(8)/arptables(8) syntax and
       output the native nftables(8) syntax.

       The iptables-restore-translate tool reads a ruleset in the syntax
       produced by iptables-save(8). Likewise, the ip6tables-restore-
       translate tool reads one produced by ip6tables-save(8).  No
       ruleset modifications occur, these tools are text converters only.

       The iptables-translate reads a command line as if it was entered
       to iptables(8), and ip6tables-translate reads a command like as if
       it was entered to ip6tables(8).

EXAMPLES         top

       Basic operation examples.

       Single command translation:

       root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
       nft add rule ip filter INPUT tcp dport 22 ct state new counter accept

       root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT
       nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept

       Whole ruleset translation:

       root@machine:~# iptables-save > save.txt
       root@machine:~# cat save.txt
       # Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016
       *filter
       :INPUT ACCEPT [5166:1752111]
       :FORWARD ACCEPT [0:0]
       :OUTPUT ACCEPT [5058:628693]
       -A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
       COMMIT
       # Completed on Sat Dec 24 14:26:40 2016

       root@machine:~# iptables-restore-translate -f save.txt
       # Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016
       add table ip filter
       add chain ip filter INPUT { type filter hook input priority 0; }
       add chain ip filter FORWARD { type filter hook forward priority 0; }
       add chain ip filter OUTPUT { type filter hook output priority 0; }
       add rule ip filter FORWARD tcp dport 22 ct state new counter accept

       root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft
       root@machine:~# nft -f ruleset.nft
       root@machine:~# nft list ruleset
       table ip filter {
            chain INPUT {
                 type filter hook input priority 0; policy accept;
            }

            chain FORWARD {
                 type filter hook forward priority 0; policy accept;
                 tcp dport ssh ct state new counter packets 0 bytes 0 accept
            }

            chain OUTPUT {
                 type filter hook output priority 0; policy accept;
            }
       }

LIMITATIONS         top

       Some (few) extensions may be not supported (or fully-supported)
       for whatever reason (for example, they were considered obsolete,
       or we didn't have the time to work on them).

       There is no translation available for arptables(8).

       To get up-to-date information about this, please head to
       https://wiki.nftables.org/ .

SEE ALSO         top

       nft(8), iptables(8)

AUTHORS         top

       The nftables framework is written by the Netfilter project
       (https://www.netfilter.org).

       This manual page was written by Arturo Borrero Gonzalez
       <arturo@netfilter.org>.

       This documentation is free/libre under the terms of the GPLv2+.

COLOPHON         top

       This page is part of the iptables (administer and maintain packet
       filter rules) project.  Information about the project can be found
       at ⟨http://www.netfilter.org/⟩.  If you have a bug report for this
       manual page, see ⟨http://bugzilla.netfilter.org/⟩.  This page was
       obtained from the project's upstream Git repository
       ⟨git://git.netfilter.org/iptables⟩ on 2025-08-11.  (At that time,
       the date of the most recent commit that was found in the
       repository was 2025-07-22.)  If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       man-pages@man7.org

                               May 14, 2019         IPTABLES-TRANSLATE(8)

Pages that refer to this page: xtables-legacy(8)xtables-nft(8)

Copyright and license for this manual page

HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface.

For details of in-depth Linux/UNIX system programming training courses that I teach, look here.

Hosting by jambit GmbH.

Cover of TLPI