Linux Server Security is the current field-guide cluster.Linux • Security • Self-hosting • Practical tools
Linux Server Hardening

Does Ubuntu UFW Use iptables or nftables?

On modern Linux systems, UFW can look like an iptables-era tool while the underlying system uses nftables through compatibility layers. That does not automatically mean your firewall is broken; it means you need to understand which tool owns the policy before mixing manual rules, Docker, or security bouncers.

The safe rule is simple: manage the host firewall through one primary interface, then verify exposure from both the server side and the network side.

Why do admins see both iptables and nftables?

The Linux firewall stack has history. iptables was the familiar interface for years; nftables is the newer Netfilter framework. Netfilter documents a backward-compatibility layer that allows iptables and ip6tables syntax to run over nftables infrastructure.

Debian’s nftables documentation says the default since Debian 10 is nftables, and that installed iptables utilities use the nf_tables backend by default through iptables-nft. Ubuntu follows the same broad modern Linux reality: you may see iptables-shaped tools while nftables is underneath.

That is why “I saw iptables output” and “the system uses nftables” are not always contradictory statements.

Does this matter for UFW?

It matters when another tool also manages firewall rules. For a simple UFW-only VPS, the backend detail is usually less important than whether your policy is clear and exposure is verified.

It matters more when you add:

Those tools may expect iptables, nftables, ipset, or a specific mode. Pick the integration that matches the system instead of guessing.

Why duplicate-looking output can be misleading

Firewall tools can show compatibility views of underlying rules. You might inspect one layer and miss rules created by another tool, or you might see generated chains and assume they are duplicates.

The practical question is not “which command looks cleaner?” It is:

  1. Which tool is the owner of host firewall policy?
  2. Which tools are allowed to add dynamic rules?
  3. Which services are listening locally?
  4. Which ports are reachable from outside?
  5. Can another admin reproduce the answer later?

If you cannot answer those, the backend debate is a distraction.

How to keep a small Ubuntu server sane

Use UFW as the human-facing policy layer unless you have a real reason not to. Avoid adding direct nftables rules on the same host unless you document exactly why.

For a small server, the cleaner model is:

This pairs naturally with UFW for Ubuntu servers, Docker rootless mode tradeoffs, and ss vs lsof vs nmap exposure checks.

FAQ

Is UFW obsolete because nftables exists?

No. UFW is still useful as a simpler policy interface. nftables is the lower-level framework many modern systems use underneath.

Should I write nftables rules manually on an Ubuntu VPS?

Only if you need that control and are ready to maintain it. For many small servers, UFW is the safer operational choice.

Why does CrowdSec ask about iptables or nftables?

CrowdSec’s firewall bouncer supports multiple firewall backends. The bouncer needs to add decisions in a way that matches the system’s firewall mode.

Sources