How to Resolve nftables Loading Errors Caused by iptables-nft on AlmaLinux 9

Introduction

As modern Linux distributions transition from iptables to nftables, some compatibility issues are beginning to emerge—particularly for those using iptables-nft, the translation layer between old iptables syntax and nftables. If you’re running AlmaLinux 9 or CloudLinux 9 and have followed steps to install iptables on AlmaLinux 9, you may encounter errors when starting the nftables service. This issue typically manifests with the following error:

Error: unsupported xtables compat expression, use iptables-nft with this ruleset

This error prevents the nftables firewall from loading stored rules, which can potentially compromise server security if not addressed.

Many system administrators still rely on tools like CSF (ConfigServer Security & Firewall) and Imunify360 for firewall management. These tools often use traditional iptables syntax, which is then converted into nftables format by the iptables-nft package.

While this translation works in-memory, issues arise when the converted rules are saved and later reloaded via the nftables service. Some rules, particularly those involving xtables compatibility, cannot be reloaded from configuration files.

This results in the nftables service failing to start with the error mentioned earlier.

Impacted Systems

This issue has been observed on systems that meet the following conditions:

• Running AlmaLinux 9 or CloudLinux 9
• Using iptables-nft
• Relying on third-party firewalls such as:
  • Imunify360
  • CS

Workaround: Rebuild a Minimal NFTables Configuration

To resolve the issue and allow the nftables service to start properly, the recommended approach is to rebuild a minimal configuration that excludes problematic rules. Third-party firewalls will restore their own rules when restarted.

Here’s a step-by-step guide to perform this fix:

Step-by-Step Instructions

1. Stop External Firewall Services

Before modifying the firewall, stop any external services that may inject rules.

1. If you’re using Imunify360:

systemctl stop imunify360

2. If you’re using CSF:

csf -x

2. Backup Existing nftables Configuration

Move the existing configuration file to avoid overwriting or losing custom rules.

mv /etc/sysconfig/nftables.conf /etc/sysconfig/nftables.conf.back

3. Flush Existing Firewall Rules

Clear all active nftables rules from memory.

nft flush ruleset

4. Rebuild Default cPanel Firewall Rules

Use cPanel’s built-in script to regenerate a minimal, compatible rule set.

/scripts/configure_firewall_for_cpanel

5. Save Current Rules to Configuration File

Export the active ruleset to the default configuration file used by the nftables service.

nft list ruleset > /etc/sysconfig/nftables.conf

6. Restart External Firewall Services

Once the minimal nftables configuration is saved, restart your third-party firewalls.

1. For Imunify360:

systemctl restart imunify360

2. For CSF:

csf -e

This solution ensures that nftables starts properly by avoiding errors caused by incompatible rules. Once restarted, third-party firewalls like CSF and Imunify360 will automatically restore their own rules. It’s not necessary to include every firewall rule in the nftables.conf file, only the critical ones needed for cPanel operations should be saved there.

Conclusion

As server environments continue migrating to modern firewall backends like nftables, issues like these are bound to arise. By following the steps above, you can restore functionality and ensure your firewall rules are loaded correctly during system startup.

If you’re still facing issues after trying these steps to resolve nftables loading errors, our experts can help. Skynats offers Linux Server Management services and Server Management services to handle complex configurations and firewall issues with ease. Contact us today for professional assistance to install iptables on AlmaLinux 9 and ensure your server runs securely and efficiently.