IPTables on Rocky 10

WARNING! Your current IPtables configuration is invalid : iptables-restore v1.8.11 (nf_tables): unknown option “–state”

Apparently in newer versions of iptables (specifically version 1.8.4 and later), the --state flag is being deprecated in favor of the more modern -m conntrack --ctstate syntax.

Can Webmin be updated to support this new syntax?

Thank you.

Use the nftables module.

I’m not sure if the nftables module has made it into Webmin proper yet, but I think I saw it get merged, so if it’s not, it’ll be in the next Webmin release.

We won’t be updating iptables module, as iptables is considered deprecated upstream. The nftables module is very similar to the iptables module (I stole most of the code from iptables).

That module is here, Ilia merged it a week ago, so I guess the 2.640 package should already have it? webmin/nftables at master · webmin/webmin · GitHub

Yes, it’s included in Webmin 2.640 and works well.

If you don’t see it on the menu, when installing Webmin from the Virtualmin repo, install it separately with your package manager. The package is webmin-nftables.

No package webmin-nftables was found but apparently nftables is and was already installed:

Now installing webmin-nftables ..

Installing package(s) with command /bin/dnf -y install webmin-nftables ..
Last metadata expiration check: 0:01:29 ago on Sun May 10 18:14:10 2026.
No match for argument: webmin-nftables
Error: Unable to find a match: webmin-nftables
.. install failed!

Now installing nftables ..

Installing package(s) with command /bin/dnf -y update nftables ..
Last metadata expiration check: 0:02:19 ago on Sun May 10 18:14:10 2026.
Dependencies resolved.
Nothing to do.
Complete!
.. install complete

It means you have the full Webmin package installed, and a new nftables Linux Firewall module is already included in the Webmin 2.640 release.

If so, why do I get the error message:

… unknown option “–state”

I just just editing a rule that was already there to change a port number.

I’m not sure what you mean. Can you clarify your question?

Didn’t you say you’re using iptables and the iptables Webmin module? That’s not the same module as the nftables module.

Nftables is the new (well, it’s a decade or more old) firewall management tool for Linux. It is similar to iptables, but it is not iptables (though I think iptables now interacts with nf_tables at the kernel level).

As I said above, use nftables.

This gave me a headache when I restarted server work a few years back.

XTABLES-NFT(8)                                             System Manager's Manual                                             XTABLES-NFT(8)

NAME
       xtables-nft — iptables using nftables kernel api

DESCRIPTION
       xtables-nft  are  versions of iptables that use the nftables API.  This is a set of tools to help the system administrator migrate the
       ruleset from iptables(8), ip6tables(8), arptables(8), and ebtables(8) to nftables(8).

       The xtables-nft set is composed of several commands:

       • iptables-nft

       • iptables-nft-save

       • iptables-nft-restore

       • ip6tables-nft

       • ip6tables-nft-save

       • ip6tables-nft-restore

       • arptables-nft

       • ebtables-nft

         These tools use the libxtables framework extensions and hook to the nf_tables kernel subsystem using the nft_compat module.

nftables is better in every way, so it’s not a big loss to simply not use iptables. Now that pretty much everything supports it, there’s no good arguments to keep using iptables.

nftables has a couple of new concepts, but is actually easier to use, I think.

The history of Linux firewalls goes ipfirewall/ipfwadm->ipchains->iptables->nftables, each got more advanced. ipchains had chains, iptables had tables which contained chains, nftables has rulesets which contains tables and chains.

iptables had, e.g. PREROUTING table, but in nftables, you can create arbitrary tables. Which does make it a little more complicated to get started with.

But, it has much nicer CLI syntax and can do more.

We’ll be dropping firewalld and moving to bare nftables for the next major Virtualmin version. It’s lighter weight, I think easier to use, and we mostly don’t need the things firewalld brings to the table. Big firewall wrappers are kind of pointless on a server. I originally picked firewalld because it papered over differences on OSes, seemed like a good way to avoid the iptables vs. nftables question (it supports both), and we already had a Webmin module for it. But, I’ve mostly regretted it…it’s intended to be easy to use, but I’m pretty confident more users find it confusing than iptables (and nftables is nicer than iptables, so it’s much nicer than firewalld).

There are docs to help convert to nftables from iptables, but if your firewall on a server is more than a dozen or so simple rules and an ipset or whatever for fail2ban or sshguard, you’re probably doing something wrong. A server isn’t a router, and complicated firewalls are for security boundaries with complicated requirements (like routers exposing internal devices to the internet, VPN routing, DMZ, etc.).

I have been using iptables for years and years and Webmin always made that easy. I spun up a new Rocky 9 server and webmin and iptables worked as I expected, no problems. Now on a different server with Rocky 10, I suddenly get that error message about "… unknown option “–state”. So when told that in both Rocky 9 and Rocky 10 iptables actually uses nftables I didn’t understand why I get that error on one but not the other.

Here is what Google Gemini says:

On Rocky 9 and 10, the iptables command is actually just a script that translates your input into nftables code. The error unknown option "--state" happens because the translator in the newer Rocky 10 environment no longer supports the deprecated “shortcut” names for modules.

So I guess that Webmin 2.640 was still using the old syntax but Rocky 10 doesn’t like it.

Thanks for the information. I couldn’t find any Webmin option to use nftables even after running Refresh Modules. Then, by pure chance I edited my Webmin user data and discovered that “Linux Firewall” was not checked.
Both of these were checked:
Linux Firewall (ip6tables)
Linux Firewall (iptables)

Perhaps “Linux Firewall” should be listed as “Linux Firewall (nftables)”

So now I have access although I don’t really have time right now to learn yet another new feature. I’m in the middle of scrambling to upgrade my nine Google Cloud servers before the June deadline:

By June 24, 2026:

• Identify: Audit your usage of Shielded VMs, Secure Boot, Full Disk Encryption (FDE) or any other software that relies on vTPM PCRs
• Update VM instances: Consider recreating any long-running VMs created before November 7, 2025

Found it here

No. The nftables module is in Webmin already, as I said above (it shipped in 2.640). Don’t install another (older) copy of it.

The one in the Webmin tree has a bunch of minor bugfixes and major UI enhancements.

I’ll mark my repo as archived and deprecated.

iptables used to be called Linux Firewall, when it was the default firewall on Linux. It hasn’t been the default for several years, but we didn’t have an nftables module until now, so we never renamed it. But, now we do, so Linux Firewall, the iptables version, got renamed to Linux Firewall (iptables) to let you know it is for the old, now-deprecated, firewall tool. Linux Firewall is now nftables, as that is the default and maintained firewall tool for Linux.

You can translate your existing iptables firewall to nftables via iptables-translate, and I recommend folks still using iptables do so. Moving from iptables to nftables - nftables wiki