Client Area
cPanel HostingDirectAdmin HostingWebuzo HostingWindows HostingReseller HostingApp PlatformNewCompare All Plans →
VPS HostingPopularLXC ContainersCloud ServersBare MetalServer ManagementDevOps ServicesCompare All Servers →
Domain RegistrationDomain Transfer.IN RegistrarBharat DomainsDomain PricingSearch Domains →
Website DevelopmentWeb ApplicationsSaaS DevelopmentMobile AppsE-CommerceAPI DevelopmentSEO ServicesDigital MarketingView All Services →
All SolutionsWebsite BuilderProfessional EmailE-CommerceDevelopersEnterpriseBrand Protection
Support CenterSubmit a TicketTrack TicketKnowledge BaseFAQ
About UsContact UsAffiliate ProgramBlog
Free ConsultationClient Area
Firewall & Security HardeningIntermediate

Managing CSF Firewall Rules on CentOS 8 with nftables

4 min readPublished 4 Mar 2026Updated 17 Apr 20261,815 views

In this article

  • 1Introduction
  • 21 The New Landscape: nftables on CentOS 8
  • 3What Changed
  • 4Why nftables
  • 52 How CSF Operates with nftables

Managing CSF Firewall Rules on CentOS 8 with nftables

Introduction

CentOS 8 introduces nftables as its default firewall framework, replacing the legacy iptables system. This transition means that ConfigServer Security & Firewall (CSF) now operates through an nftables compatibility layer rather than directly on iptables.

Key Takeaways:

  • CentOS 8 does not support reverting to iptables-legacy.

  • CSF translates its firewall rules into nftables automatically.

  • Best practice: Let CSF manage firewall rules instead of modifying nftables manually.

1 The New Landscape: nftables on CentOS 8

What Changed

Default Framework: CentOS 8 has fully migrated from iptables-legacy to nftables. No iptables-legacy Package: Unlike other distributions, CentOS 8 does not provide a supported way to revert to iptables-legacy.

Why nftables

Performance & Efficiency:

  • Faster processing compared to iptables.

  • Supports stateful packet filtering.

  • Provides native support for sets and maps, reducing redundancy in rule management.

Modern Firewall Management:

  • Simplified syntax for rule management.

  • Enhanced security and scalability.

2 How CSF Operates with nftables

CSF and the Compatibility Layer

Originally designed for iptables, CSF now works through a nftables compatibility layer on CentOS 8.

Automatic Translation: When you execute:

csf -r

CSF automatically translates iptables-style commands into nftables syntax.

Managed Tables: You may see warnings like:

# Warning: table ip filter is managed by iptables-nft, do not touch!

What This Means: The system manages these tables automatically through CSF, and manual modifications are discouraged.

Best Practices: Let CSF Manage the Firewall

Avoid Manual Changes:

  • Do NOT modify the auto-generated tables using nft or direct iptables commands.

  • Instead, make all adjustments via CSF's configuration files.

Use CSF Commands:

csf -r # Reload firewall rules
csf -g <port> # Check rules for a specific port

3 Managing CSF Configuration on CentOS 8

Making Adjustments via CSF

All modifications should be performed through CSF's configuration files:

  • Main Configuration: /etc/csf/csf.conf

  • Allow/Deny Lists: /etc/csf/csf.allow & /etc/csf/csf.deny

Whitelisting or Blacklisting IPs/Ports

To allow/block IPs or ports, edit the relevant file and reload CSF:

nano /etc/csf/csf.allow # Whitelist IPs
nano /etc/csf/csf.deny # Blacklist IPs
csf -r # Apply changes

Custom Rules in CSF

If you need to define custom firewall rules, always do so within CSF's configuration instead of modifying nftables directly.

4 Verifying Active Rules

Even though you shouldn't modify nftables manually, it's useful to review applied rules.

Run the following command to inspect the active ruleset:

nft list ruleset

What You'll See:

  • Multiple tables like ip filter, ip raw, and ip mangle.

  • Rules that are maintained by the iptables-nft compatibility layer.

5 Advantages of Using nftables with CSF

Enhanced Security & Performance

Modern Syntax & Flexibility:

  • Supports sets, maps, and efficient rule processing.

  • Reduces the complexity of firewall configurations.

CSF Compatibility:

  • CSF seamlessly works with nftables.

  • Allows continued use of familiar CSF commands while leveraging nftables' modern capabilities.

Streamlined Management

Centralized Control:

  • Managing the firewall through CSF configuration files ensures that changes are consistent.

  • Reduces the risk of conflicts with system-managed tables.

Reduced Configuration Drift:

  • Prevents accidental overwrites or errors from manual nftables modifications.

  • Ensures that security policies remain correctly enforced.

Conclusion

Managing CSF firewall rules on CentOS 8 means embracing the nftables framework. Since reverting to iptables-legacy is not an option, administrators should:

Use CSF commands & configuration files for all changes. Avoid direct modifications to nftables-managed tables. Verify rule translations using nft list ruleset to ensure security policies are correctly enforced.

By following these best practices, you maintain a secure, high-performance firewall configuration on CentOS 8 while still using the familiar CSF interface.

Note: CentOS has reached end-of-life. If you are setting up a new server, we recommend using AlmaLinux or Rocky Linux as a drop-in replacement. The commands and procedures in this article apply equally to AlmaLinux and Rocky Linux.

Was this article helpful?

Your feedback helps us improve our documentation

Still need help? Submit a support ticket

Related Articles

I can't reach my server. Have I been blocked88062
how you can identify if CSF has blacklisted your IP and how to fix it - VPS4427
CSF Blocklist and Multiple Login Failures: How Clients Can Protect Themselves3070
How to Diagnose and Resolve CSF IP Blocks: A Step-by-Step Guide2708
Mitigating DDoS Attacks Using CSF: A Comprehensive Guide2581

Still need help?

Our support team can assist you directly.

Submit Ticket
Need Help?
New TicketTrack TicketKnowledge BaseContact UsWhatsApp