Linux Routing Operations and Maintenance: Causes and Solutions for Compatibility Issues with Old iptables Rules

Preface

When the blogger is using the X-wrt system, which is based on the OpenWrt system, noticed the wirewall page had a waring of compatibility issues with old iptables rule. So I started to research the reason of the problem and the solution, this blog is the result.

Root Causes of the Problem

The system the blogger using is X-WRT-docker 25.04_b202506151427 Plucky. As you can see, there is a Docker environment in the system. The Docker itself will take charge of the rule of iptables, but new versions of OpenWrt dropped support of the old one and fully turned to new nftables. It caused the compatibility issue between the old iptables and the new nftables.

---

Solution

1. Backup current firewall rule

# Seprately backup rule of iptables v4 and v6
iptables-save > /root/iptables-backup.v4
ip6tables-save > /root/iptables-backup.v6
# Backup rules of nftables
nft list ruleset > /root/nftables-backup.rules

2. Move the rule of iptables to nftables

# Create nftables work folder
mkdir /etc/nftables
# Seperately convert rules of ipv4 与 v6
iptables-restore-translate -f iptables-backup.v6 > /etc/nftables/migrated-rules.v6
iptables-restore-translate -f iptables-backup.v4 > /etc/nftables/migrated-rules.v4

3. Integrate rules and test

# Integrate all converted rules to nftables
cat /etc/nftables/migrated-rules.v4 >> /etc/nftables.conf
cat /etc/nftables/migrated-rules.v6 >> /etc/nftables.conf
# Check whether the grammar is correct
nft -c -f /etc/nftables.conf
# Reload nftables rule
nft flush ruleset
nft -f /etc/nftables.conf

4. Process Docker firewall policy

# Edit Docker config file
vim /etc/docker/daemon.json
# Add text below
{
  "iptables": false
}

# Restart Docker
/etc/init.d/docker restart

5. Verify and test

Verify that the firewall page no longer shows errors, and check whether the system logs and related services are functioning normally. If everything is normal, it proves that the changes have taken effect. If not, the changes need to be rolled back.

# Rollback
iptables-restore < /root/iptables-backup.v4
ip6tables-restore < /root/iptables-backup.v6

---

Ending

In light of this error, as Linux routing and operations personnel, we should regularly review the rules, remove unnecessary old rules to keep the firewall rules tidy, and optimize the rule structure to ensure efficiency and a low error rate.

---

I'm not a pro in Linux maintaince, if there is any bugs or errors, please tell me, I will take your advice humblely.