{ "mode": "man", "parameter": "xtables-translate", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/xtables-translate/8/json", "generated": "2026-05-30T07:10:16Z", "sections": { "NAME": { "content": "iptables-translate — translation tool to migrate from iptables to nftables\n\nip6tables-translate — translation tool to migrate from ip6tables to nftables\n", "subsections": [] }, "DESCRIPTION": { "content": "There is a set of tools to help the system administrator translate a given ruleset from ipta‐‐\nbles(8) and ip6tables(8) to nftables(8).\n\nThe available commands are:\n\n\n• iptables-translate\n\n• iptables-restore-translate\n\n• ip6tables-translate\n\n• ip6tables-restore-translate\n\n", "subsections": [] }, "USAGE": { "content": "They take as input the original iptables(8)/ip6tables(8) syntax and output the native nfta‐‐\nbles(8) syntax.\n\nThe iptables-restore-translate tool reads a ruleset in the syntax produced by iptables-\nsave(8). Likewise, the ip6tables-restore-translate tool reads one produced by ip6tables-\nsave(8). No ruleset modifications occur, these tools are text converters only.\n\nThe iptables-translate reads a command line as if it was entered to iptables(8), and ip6ta‐‐\nbles-translate reads a command like as if it was entered to ip6tables(8).\n\n", "subsections": [] }, "EXAMPLES": { "content": "Basic operation examples.\n\nSingle command translation:\n\nroot@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT\nnft add rule ip filter INPUT tcp dport 22 ct state new counter accept\n\nroot@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT\nnft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept\n\nWhole ruleset translation:\n\nroot@machine:~# iptables-save > save.txt\nroot@machine:~# cat save.txt\n# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016\n*filter\n:INPUT ACCEPT [5166:1752111]\n:FORWARD ACCEPT [0:0]\n:OUTPUT ACCEPT [5058:628693]\n-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT\nCOMMIT\n# Completed on Sat Dec 24 14:26:40 2016\n\nroot@machine:~# iptables-restore-translate -f save.txt\n# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016\nadd table ip filter\nadd chain ip filter INPUT { type filter hook input priority 0; }\nadd chain ip filter FORWARD { type filter hook forward priority 0; }\nadd chain ip filter OUTPUT { type filter hook output priority 0; }\nadd rule ip filter FORWARD tcp dport 22 ct state new counter accept\n\nroot@machine:~# iptables-restore-translate -f save.txt > ruleset.nft\nroot@machine:~# nft -f ruleset.nft\nroot@machine:~# nft list ruleset\ntable ip filter {\nchain INPUT {\ntype filter hook input priority 0; policy accept;\n}\n\nchain FORWARD {\ntype filter hook forward priority 0; policy accept;\ntcp dport ssh ct state new counter packets 0 bytes 0 accept\n}\n\nchain OUTPUT {\ntype filter hook output priority 0; policy accept;\n}\n}\n\n\n", "subsections": [] }, "LIMITATIONS": { "content": "Some (few) extensions may be not supported (or fully-supported) for whatever reason (for ex‐\nample, they were considered obsolete, or we didn't have the time to work on them).\n\nThere are no translations available for ebtables(8) and arptables(8).\n\nTo get up-to-date information about this, please head to https://wiki.nftables.org/.\n\n", "subsections": [] }, "SEE ALSO": { "content": "nft(8), iptables(8)\n\n", "subsections": [] }, "AUTHORS": { "content": "The nftables framework is written by the Netfilter project (https://www.netfilter.org).\n\nThis manual page was written by Arturo Borrero Gonzalez .\n\nThis documentation is free/libre under the terms of the GPLv2+.\n\n\n\nMay 14, 2019 IPTABLES-TRANSLATE(8)", "subsections": [] } }, "summary": "iptables-translate — translation tool to migrate from iptables to nftables ip6tables-translate — translation tool to migrate from ip6tables to nftables", "flags": [], "examples": [ "Basic operation examples.", "Single command translation:", "root@machine:~# iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT", "nft add rule ip filter INPUT tcp dport 22 ct state new counter accept", "root@machine:~# ip6tables-translate -A FORWARD -i eth0 -o eth3 -p udp -m multiport --dports 111,222 -j ACCEPT", "nft add rule ip6 filter FORWARD iifname eth0 oifname eth3 meta l4proto udp udp dport { 111,222} counter accept", "Whole ruleset translation:", "root@machine:~# iptables-save > save.txt", "root@machine:~# cat save.txt", "# Generated by iptables-save v1.6.0 on Sat Dec 24 14:26:40 2016", "*filter", ":INPUT ACCEPT [5166:1752111]", ":FORWARD ACCEPT [0:0]", ":OUTPUT ACCEPT [5058:628693]", "-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT", "COMMIT", "# Completed on Sat Dec 24 14:26:40 2016", "root@machine:~# iptables-restore-translate -f save.txt", "# Translated by iptables-restore-translate v1.6.0 on Sat Dec 24 14:26:59 2016", "add table ip filter", "add chain ip filter INPUT { type filter hook input priority 0; }", "add chain ip filter FORWARD { type filter hook forward priority 0; }", "add chain ip filter OUTPUT { type filter hook output priority 0; }", "add rule ip filter FORWARD tcp dport 22 ct state new counter accept", "root@machine:~# iptables-restore-translate -f save.txt > ruleset.nft", "root@machine:~# nft -f ruleset.nft", "root@machine:~# nft list ruleset", "table ip filter {", "chain INPUT {", "type filter hook input priority 0; policy accept;", "chain FORWARD {", "type filter hook forward priority 0; policy accept;", "tcp dport ssh ct state new counter packets 0 bytes 0 accept", "chain OUTPUT {", "type filter hook output priority 0; policy accept;" ], "see_also": [ { "name": "nft", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/nft/8/json" }, { "name": "iptables", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/iptables/8/json" } ] }