firewalld and UFW were active on 88.4% of home and small-business Linux installations in 2025, according to SQ Magazine — yet the firewall engine running underneath those tools has shifted dramatically. nftables entered the Linux kernel in January 2014 and has since displaced iptables as the default backend on every major Linux distribution released after 2019. This article documents where iptables, nftables, and firewalld stand in 2026: which tools run by default, which still dominate legacy infrastructure, and what the data shows about migration patterns.
- firewalld and UFW were active on 88.4% of home and small-business Linux installations in 2025.
- nftables has been the default firewall backend in Debian 10+, Ubuntu 20.10+, RHEL 8+, and Fedora 32+ since 2019–2020.
- RHEL holds 43.1% of the enterprise Linux server market in 2025, with firewalld running over nftables as its default backend.
- iptables entered official legacy maintenance mode with the Netfilter Project formally directing new deployments to nftables.
- nftables recorded no major CVE as of October 2025, compared to multiple active CVEs in other firewall solutions reviewed the same period.
Linux Firewall Adoption Rates: iptables vs nftables vs firewalld in 2026
The Linux firewall picture in 2026 is a three-layer story. At the kernel level, nftables is now the standard Netfilter subsystem on modern distributions. At the management layer, firewalld (on Red Hat-family systems) and UFW (on Debian/Ubuntu systems) handle configuration for the majority of deployments. iptables, which was the standard for nearly two decades, now runs primarily through a compatibility shim called iptables-nft or persists on older systems that have not been upgraded.
The Netfilter Project officially placed iptables in legacy maintenance mode, directing all new deployments to nftables. On Ubuntu 22.04 and later, when you run an iptables command, the system routes it through the nftables backend automatically via iptables-nft unless an administrator has explicitly switched to iptables-legacy. This means iptables syntax is still in wide use, but the underlying engine handling those rules is increasingly nftables.
Which Linux Distributions Default to nftables?
The shift to nftables at the distribution level has been steady since 2019. Debian 10 (Buster) was among the first major distributions to adopt nftables as the default packet filtering backend. Ubuntu followed in October 2020 with the 20.10 (Groovy Gorilla) release, making the nftables backend the default for the iptables, ip6tables, arptables, and ebtables tools system-wide. Red Hat Enterprise Linux 8 (released May 2019) ships firewalld with nftables as the backend. Fedora 32 removed the downstream patch that had previously defaulted firewalld to iptables, aligning Fedora with the upstream firewalld project’s nftables default.
| Distribution | Version | Default Firewall Tool | Underlying Backend | Year Switched |
|---|---|---|---|---|
| Debian | 10 (Buster)+ | nftables / iptables-nft | nftables | 2019 |
| Ubuntu | 20.10 (Groovy)+ | UFW / iptables-nft | nftables | 2020 |
| RHEL / CentOS | 8+ | firewalld | nftables | 2019 |
| Fedora | 32+ | firewalld | nftables | 2020 |
| RHEL / CentOS | 7 and earlier | firewalld | iptables | Still iptables |
| Ubuntu | 18.04 LTS and earlier | UFW / iptables | iptables | Still iptables |
| Debian | 9 (Stretch) and earlier | iptables | iptables | Still iptables |
Source: Debian Wiki, Ubuntu Security Documentation, Red Hat Documentation, Fedora Project Wiki
nftables vs iptables: Market Presence by Distribution Share
Because firewall tool adoption follows distribution defaults, distribution market share data provides a reasonable proxy for nftables penetration. Red Hat Enterprise Linux leads enterprise servers with 43.1% market share in 2025. RHEL 8 and later default to firewalld over nftables, meaning a substantial portion of enterprise Linux servers run nftables as the effective firewall engine even when administrators interact with firewalld commands. Ubuntu accounts for 33.9% of enterprise deployments and over 60% of public cloud Linux instances, with its nftables backend default having been in place since late 2020.
Source: Command Linux — Linux Distribution Market Share Statistics 2025; Canonical
iptables vs nftables Backend: Estimated Active Usage Split
No single authoritative survey tracks the iptables-vs-nftables split across all Linux servers worldwide. However, combining distribution market share with their default backend configurations produces an estimate of where the installed base sits. Systems still running RHEL 7, CentOS 7, Ubuntu 18.04 LTS, or equivalent enterprise distributions use iptables either directly or as the firewalld backend. Enterprises that have not migrated to a post-2019 distribution remain the largest source of active iptables deployments in 2026.
Source: Netfilter Project; Red Hat Documentation; Debian Wiki; Ubuntu Security Documentation — estimated based on distribution default configurations
Linux Firewall Adoption Rates in Enterprise Environments
Enterprise adoption of Linux servers continues to grow — Linux captured 44.8% of the server operating system market in 2024. Within that installed base, firewall tool usage reflects the distribution split. RHEL 8 and 9 deployments run firewalld with nftables. Organizations that standardized on RHEL 7 or CentOS 7, which reached end of life in June 2024, face pressure to migrate, and migration to RHEL 8 or 9 means adopting the nftables backend by default.
The Linux security patch cadence is a related driver. As enterprise security teams respond to rising CVE counts — 3,529 Linux kernel CVEs were recorded in 2024 — organizations maintaining RHEL 7 systems past end-of-life face compounding risk. Migration to supported distributions inherently moves those deployments to nftables-backed firewall stacks.
| Enterprise Linux Distribution | Market Share (2025) | Default Firewall Backend | End of Life / Status |
|---|---|---|---|
| RHEL 9 | Leading RHEL segment | firewalld + nftables | Active — 2032 |
| RHEL 8 | Significant RHEL share | firewalld + nftables | Active — 2029 |
| RHEL 7 | Declining | firewalld + iptables | EOL June 2024 |
| Ubuntu 22.04 LTS | 33.9% enterprise Ubuntu | UFW + nftables backend | Active — 2027 |
| Ubuntu 20.04 LTS | Significant Ubuntu share | UFW + nftables backend | Active — 2025 |
| Ubuntu 18.04 LTS | Legacy/declining | UFW + iptables | EOL April 2023 |
| Debian 12 (Bookworm) | Active Debian installs | nftables | Active |
Source: Red Hat Product Life Cycles; Canonical Ubuntu Release Schedule; Debian Wiki
firewalld Usage Statistics and Its Role in the Transition
firewalld occupies a distinct position in this picture: it is a management frontend, not a firewall engine. It translates zone-based policy commands into nftables rules on RHEL 8+ and Fedora 32+, or into iptables rules on older systems. The enterprise Linux installed base is heavily RHEL-centric — 72.6% of Fortune 500 companies run mission-critical workloads on Linux as of 2025, and RHEL leads that market with 43.1% share. That makes firewalld the dominant management interface for a large share of enterprise Linux firewall configurations, even as nftables handles the actual packet processing underneath it.
Firewalld upstream adopted nftables as the default backend before either RHEL or Fedora made the switch in their distributions. The Fedora Project Wiki notes that firewalld upstream had already been shipping nftables as the default for two minor releases before Fedora 32 aligned with that change in 2020. This upstream-first adoption pattern means firewalld users on current distributions are running nftables whether they know it or not.
| Management Frontend | Primary Distribution | Backend in Current Releases | Typical User Profile |
|---|---|---|---|
| firewalld | RHEL, Fedora, CentOS Stream | nftables (RHEL 8+ / Fedora 32+) | Enterprise, server admins |
| UFW | Ubuntu, Debian | nftables backend (Ubuntu 20.10+) | Desktop, VPS, small servers |
| nftables (direct) | Debian, Arch, Alpine | nftables | Advanced admins, DevOps |
| iptables (direct) | Legacy RHEL 7, Ubuntu 18.04 | iptables-legacy | Legacy systems, older scripts |
Source: Fedora Project Wiki; Red Hat Documentation; Ubuntu Security Documentation; Debian Wiki
Linux Firewall Adoption in Cloud and Container Environments
Cloud and container workloads represent an area where nftables adoption has accelerated independently of distribution defaults. Kubernetes production deployment reached 80% in 2024, up from 66% in 2023, and Linux powers 78% of all Kubernetes clusters globally. SafeIT Experts noted massive nftables adoption in Kubernetes and cloud-native environments in 2025 specifically. This reflects both the distribution shift and active engineering work to support nftables in container networking tools.
Docker historically injected its own iptables rules, which created compatibility friction when firewalld switched to the nftables backend. The Fedora Project’s change documentation from the Fedora 32 cycle explicitly listed this Docker-firewalld interaction as a known issue requiring resolution. By 2025, the ecosystem had largely adapted — both Docker and Kubernetes tooling had updated their Netfilter integration to handle nftables backends.
Source: Command Linux — Linux Container & Kubernetes Adoption Statistics; SafeIT Experts Firewall Effectiveness Comparison 2025
iptables in Legacy and Ongoing Deployments
Despite the distribution-level shift to nftables, iptables remains in active use across a significant portion of the Linux server fleet. Systems that have not been upgraded from RHEL 7, CentOS 7, Ubuntu 18.04 LTS, or older Debian releases continue running iptables. Additionally, many long-running servers carry firewall configurations that were written as iptables scripts — these frequently remain in place even after an OS upgrade, particularly when the administrator uses the iptables-nft compatibility layer that accepts iptables syntax while routing rules to the nftables kernel engine.
The iptables-translate tool, which converts iptables rules to nftables syntax, has helped reduce migration friction. Still, industry commentary from TuxCare, Zenarmor, and linuxmind.dev consistently notes that iptables “remains prevalent” and that administrators should expect to encounter iptables-protected systems for years ahead. The Netfilter Project’s maintenance-mode designation does not mean iptables stops functioning — it means new feature development has moved to nftables while iptables receives only security and stability fixes.
| Deployment Context | Likely Firewall Tool | Notes |
|---|---|---|
| New server on RHEL 8+ / 9 | firewalld + nftables | Default out of box |
| New Ubuntu 22.04 / 24.04 server | UFW + nftables backend | nftables backend automatic |
| Existing RHEL 7 / CentOS 7 server | firewalld + iptables | EOL June 2024, migration pending |
| Legacy VPS with manual iptables rules | iptables (legacy or nft shim) | Common on older hosting setups |
| Kubernetes node (modern cluster) | nftables (via kube-proxy or CNI) | Ecosystem updated for nftables |
| Embedded / IoT Linux | iptables or nftables (varies) | Depends on vendor kernel and distro |
Source: Red Hat Product Life Cycles; Canonical; Fedora Project Wiki; Netfilter Project
Linux Firewall Security: nftables vs iptables CVE Comparison
Security posture is one factor driving migration from iptables to nftables. SafeIT Experts’ October 2025 firewall effectiveness analysis found no major CVE against nftables at the time of review, while other firewall solutions carried active CVEs requiring urgent patching. The cleaner architecture of nftables — a virtual machine that executes compiled bytecode rather than iptables’ protocol-specific code duplicated across IPv4, IPv6, ARP, and Ethernet bridging — reduces the attack surface from code duplication. The Linux malware and vulnerability data for 2026 reinforces the importance of keeping firewall stacks on maintained codebases: brute-force attacks represent 89% of endpoint behaviors on Linux systems, making properly configured firewalls a critical first line of defense.
The Linux encryption adoption statistics tell a parallel story — administrators applying security hardening in one area (encryption) increasingly pair it with updated firewall infrastructure. Organizations that have migrated to RHEL 8+, Ubuntu 20.04+, or Debian 10+ gain nftables as a side effect of staying on supported distributions, without requiring a separate firewall migration decision.
FAQs
Is iptables still supported in 2026?
Yes, iptables is still functional in 2026 and remains widely deployed on legacy systems. The Netfilter Project has placed it in legacy maintenance mode, meaning it receives security fixes but no new features. New deployments should use nftables.
Does firewalld use iptables or nftables?
On RHEL 8+, Fedora 32+, and other current distributions, firewalld uses nftables as its backend. On RHEL 7 and older systems, it uses iptables. Administrators can verify by checking FirewallBackend in /etc/firewalld/firewalld.conf.
Which Linux distributions still use iptables by default in 2026?
Systems still running RHEL 7, CentOS 7, Ubuntu 18.04 LTS, or Debian 9 and earlier use iptables by default. All of these distributions have reached end of life. Supported distributions released after 2019 default to nftables.
What is the difference between nftables and firewalld?
nftables is the kernel-level packet filtering framework. firewalld is a management frontend that translates zone and service rules into nftables (or iptables) commands. They operate at different layers — firewalld configures nftables, not the other way around.
How widespread is nftables adoption in 2026?
nftables is the default firewall backend on all major Linux distributions released since 2019–2020. It dominates new deployments, cloud instances, and Kubernetes environments. Legacy servers running pre-2019 distributions remain the primary source of active iptables usage.
