{"slug":"tailscale-netfilter-modes","title":"Tailscale netfilter modes","tags":["tailscale"],"agent_summary":"Last validated: Dec 29, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Tailscale netfilter modes\r\n\r\nLast validated: Dec 29, 2025\r\n\r\nThis topic applies only to Linux devices running Tailscale.\r\n\r\n[Netfilter](https://www.netfilter.org/documentation/) is a framework built into the Linux kernel that provides hooks at key points in the networking stack that let you inspect, modify, drop, and redirect packets as they flow through the system. It's the underlying engine for firewall tools like [iptables](https://netfilter.org/projects/iptables/) and [nftables](https://wiki.nftables.org/wiki-nftables/index.php). By default, when you install Tailscale on a Linux device, Tailscale creates its own firewall rules and configures them to be evaluated automatically. This approach lets Tailscale manage its required rules while preserving your ability to add custom rules when needed.\r\n\r\nThis default configuration (`on` mode) works for most deployments, but there are other Tailscale netfilter modes, including `nodivert` and `off`. You might consider using another mode and customizing Tailscale's netfilter behavior in the following scenarios:\r\n\r\n- You need exceptions to Tailscale's [CGNAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT) traffic filtering. For example, you might need exceptions when other software conflicts with Tailscale's automatic rule management.\r\n- You need to prevent [`tailscaled`](https://tailscale.com/docs/reference/tailscaled) from periodically repositioning its rules to ensure they're evaluated first.\r\n- You need other firewall rules evaluated before Tailscale's rules.\r\n\r\nYou can customize how Tailscale integrates with netfilter by setting the netfilter mode. There are several places where you can configure netfilter mode in Tailscale including the `tailscaled` configuration file's `netfilterMode` option and the [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli)`--netfilter-mode` flag (which applies to `tailscale up`, `tailscale login`, and `tailscale set`).\r\n\r\n## [Netfilter mode options](https://tailscale.com/docs/reference/netfilter-modes\\#netfilter-mode-options)\r\n\r\nTailscale has three netfilter mode options: `on`, `nodivert`, and `off`. These values are the same for the Tailscale CLI flag (`--netfilter-mode`) and the Tailscale daemon configuration file value (`netfilterMode`).\r\n\r\n| Mode | Description |\r\n| --- | --- |\r\n| [`on`](https://tailscale.com/docs/reference/netfilter-modes#on) | (Default) Tailscale creates its firewall rules and ensures they're evaluated for relevant traffic. |\r\n| [`nodivert`](https://tailscale.com/docs/reference/netfilter-modes#nodivert) | Tailscale creates its firewall rules but does not activate them. Traffic does not automatically flow through Tailscale's rules. |\r\n| [`off`](https://tailscale.com/docs/reference/netfilter-modes#off) | Tailscale does not create or manage any firewall rules. You must write all required rules yourself. |\r\n\r\n### [`on`](https://tailscale.com/docs/reference/netfilter-modes\\#on)\r\n\r\nOn is the default mode. When using `on` mode, Tailscale creates firewall rules and ensures they're evaluated for relevant traffic. How Tailscale integrates depends on which tool is in use:\r\n\r\n- **With iptables**: Tailscale creates custom chains and inserts [jump rules](https://wiki.nftables.org/wiki-nftables/index.php/Jumping_to_chain) at the start of the built-in chains (`INPUT` and `FORWARD` in the `filter` table, `POSTROUTING` in the `nat` table) to direct traffic through its rules.\r\n- **With nftables**: Tailscale creates its own table containing chains that are [registered directly at hooks](https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains) with high priority, ensuring its rules are evaluated early.\r\n\r\nTailscale's rules enforce several security policies:\r\n\r\n- **Accept tailnet traffic**: Traffic arriving through the `tailscale0` interface is accepted.\r\n- **Prevent CGNAT spoofing**: Traffic from the CGNAT range (`100.64.0.0/10`) that does not arrive through the `tailscale0` interface is dropped. This prevents attackers from spoofing [Tailscale IP addresses](https://tailscale.com/docs/concepts/tailscale-ip-addresses) on other interfaces.\r\n- **Accept Tailscale protocol traffic**: UDP traffic on Tailscale's listening port is accepted to maintain connectivity.\r\n- **Enable routing features**: Forwarded traffic is marked and accepted appropriately for [subnet routing](https://tailscale.com/docs/features/subnet-routers) and [exit node](https://tailscale.com/docs/features/exit-nodes) functionality.\r\n\r\nWhen set to `on`, Tailscale periodically verifies its rules remain positioned for early evaluation. If other software changes this, Tailscale restores its configuration.\r\n\r\n### [`nodivert`](https://tailscale.com/docs/reference/netfilter-modes\\#nodivert)\r\n\r\nNo divert (`nodivert`) mode creates Tailscale's firewall rules but does not activate them. The rules exist, but traffic doesn't automatically flow through them.\r\n\r\nHow this works depends on which tool is in use:\r\n\r\n- **With iptables**: Tailscale creates its custom chains but does not insert jump rules into the built-in chains.\r\n- **With nftables**: Tailscale creates its table and chains but does not register them at hooks.\r\n\r\nUse `nodivert` mode when you need to:\r\n\r\n- Control the order of firewall rules so that your custom rules are evaluated before Tailscale's rules.\r\n- Add exceptions to Tailscale's default behavior of dropping [CGNAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT) traffic that does not pass through the `tailscale0` interface.\r\n- Prevent [`tailscaled`](https://tailscale.com/docs/reference/tailscaled) from periodically repositioning its rules for early evaluation.\r\n\r\nWhen using `nodivert` mode, Tailscale's rules exist but are not referenced. You must manually configure your firewall to direct traffic through Tailscale's rules. With iptables, this means adding jump rules to the built-in chains. With nftables, this means registering Tailscale's chains at the appropriate hooks.\r\n\r\n### [`off`](https://tailscale.com/docs/reference/netfilter-modes\\#off)\r\n\r\nUse the `off` mode to prevent Tailscale from making any changes to netfilter. There's usually not a good reason to set the netfilter mode to `off`. When using this mode, Tailscale makes no changes to `iptables` or `nftables`. You must write all required firewall rules yourself, including the rules that Tailscale would normally create in its chains.\r\n\r\nOnly use `off` mode if you have a specific requirement that `nodivert` cannot address. With netfilter mode set to `off`, you are responsible for:\r\n\r\n- Accepting traffic on the `tailscale0` interface.\r\n- Accepting UDP traffic on Tailscale's listening port.\r\n- Configuring NAT rules for subnet routing and exit node functionality.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Tailscale netfilter modes</h1>\n<p>Last validated: Dec 29, 2025</p>\n<p>This topic applies only to Linux devices running Tailscale.</p>\n<p><a href=\"https://www.netfilter.org/documentation/\">Netfilter</a> is a framework built into the Linux kernel that provides hooks at key points in the networking stack that let you inspect, modify, drop, and redirect packets as they flow through the system. It's the underlying engine for firewall tools like <a href=\"https://netfilter.org/projects/iptables/\">iptables</a> and <a href=\"https://wiki.nftables.org/wiki-nftables/index.php\">nftables</a>. By default, when you install Tailscale on a Linux device, Tailscale creates its own firewall rules and configures them to be evaluated automatically. This approach lets Tailscale manage its required rules while preserving your ability to add custom rules when needed.</p>\n<p>This default configuration (<code>on</code> mode) works for most deployments, but there are other Tailscale netfilter modes, including <code>nodivert</code> and <code>off</code>. You might consider using another mode and customizing Tailscale's netfilter behavior in the following scenarios:</p>\n<ul>\n<li>You need exceptions to Tailscale's <a href=\"https://en.wikipedia.org/wiki/Carrier-grade_NAT\">CGNAT</a> traffic filtering. For example, you might need exceptions when other software conflicts with Tailscale's automatic rule management.</li>\n<li>You need to prevent <a href=\"https://tailscale.com/docs/reference/tailscaled\"><code>tailscaled</code></a> from periodically repositioning its rules to ensure they're evaluated first.</li>\n<li>You need other firewall rules evaluated before Tailscale's rules.</li>\n</ul>\n<p>You can customize how Tailscale integrates with netfilter by setting the netfilter mode. There are several places where you can configure netfilter mode in Tailscale including the <code>tailscaled</code> configuration file's <code>netfilterMode</code> option and the <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a><code>--netfilter-mode</code> flag (which applies to <code>tailscale up</code>, <code>tailscale login</code>, and <code>tailscale set</code>).</p>\n<h2><a href=\"https://tailscale.com/docs/reference/netfilter-modes#netfilter-mode-options\">Netfilter mode options</a></h2>\n<p>Tailscale has three netfilter mode options: <code>on</code>, <code>nodivert</code>, and <code>off</code>. These values are the same for the Tailscale CLI flag (<code>--netfilter-mode</code>) and the Tailscale daemon configuration file value (<code>netfilterMode</code>).</p>\n<p>| Mode | Description |\r\n| --- | --- |\r\n| <a href=\"https://tailscale.com/docs/reference/netfilter-modes#on\"><code>on</code></a> | (Default) Tailscale creates its firewall rules and ensures they're evaluated for relevant traffic. |\r\n| <a href=\"https://tailscale.com/docs/reference/netfilter-modes#nodivert\"><code>nodivert</code></a> | Tailscale creates its firewall rules but does not activate them. Traffic does not automatically flow through Tailscale's rules. |\r\n| <a href=\"https://tailscale.com/docs/reference/netfilter-modes#off\"><code>off</code></a> | Tailscale does not create or manage any firewall rules. You must write all required rules yourself. |</p>\n<h3><a href=\"https://tailscale.com/docs/reference/netfilter-modes#on\"><code>on</code></a></h3>\n<p>On is the default mode. When using <code>on</code> mode, Tailscale creates firewall rules and ensures they're evaluated for relevant traffic. How Tailscale integrates depends on which tool is in use:</p>\n<ul>\n<li><strong>With iptables</strong>: Tailscale creates custom chains and inserts <a href=\"https://wiki.nftables.org/wiki-nftables/index.php/Jumping_to_chain\">jump rules</a> at the start of the built-in chains (<code>INPUT</code> and <code>FORWARD</code> in the <code>filter</code> table, <code>POSTROUTING</code> in the <code>nat</code> table) to direct traffic through its rules.</li>\n<li><strong>With nftables</strong>: Tailscale creates its own table containing chains that are <a href=\"https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains\">registered directly at hooks</a> with high priority, ensuring its rules are evaluated early.</li>\n</ul>\n<p>Tailscale's rules enforce several security policies:</p>\n<ul>\n<li><strong>Accept tailnet traffic</strong>: Traffic arriving through the <code>tailscale0</code> interface is accepted.</li>\n<li><strong>Prevent CGNAT spoofing</strong>: Traffic from the CGNAT range (<code>100.64.0.0/10</code>) that does not arrive through the <code>tailscale0</code> interface is dropped. This prevents attackers from spoofing <a href=\"https://tailscale.com/docs/concepts/tailscale-ip-addresses\">Tailscale IP addresses</a> on other interfaces.</li>\n<li><strong>Accept Tailscale protocol traffic</strong>: UDP traffic on Tailscale's listening port is accepted to maintain connectivity.</li>\n<li><strong>Enable routing features</strong>: Forwarded traffic is marked and accepted appropriately for <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routing</a> and <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit node</a> functionality.</li>\n</ul>\n<p>When set to <code>on</code>, Tailscale periodically verifies its rules remain positioned for early evaluation. If other software changes this, Tailscale restores its configuration.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/netfilter-modes#nodivert\"><code>nodivert</code></a></h3>\n<p>No divert (<code>nodivert</code>) mode creates Tailscale's firewall rules but does not activate them. The rules exist, but traffic doesn't automatically flow through them.</p>\n<p>How this works depends on which tool is in use:</p>\n<ul>\n<li><strong>With iptables</strong>: Tailscale creates its custom chains but does not insert jump rules into the built-in chains.</li>\n<li><strong>With nftables</strong>: Tailscale creates its table and chains but does not register them at hooks.</li>\n</ul>\n<p>Use <code>nodivert</code> mode when you need to:</p>\n<ul>\n<li>Control the order of firewall rules so that your custom rules are evaluated before Tailscale's rules.</li>\n<li>Add exceptions to Tailscale's default behavior of dropping <a href=\"https://en.wikipedia.org/wiki/Carrier-grade_NAT\">CGNAT</a> traffic that does not pass through the <code>tailscale0</code> interface.</li>\n<li>Prevent <a href=\"https://tailscale.com/docs/reference/tailscaled\"><code>tailscaled</code></a> from periodically repositioning its rules for early evaluation.</li>\n</ul>\n<p>When using <code>nodivert</code> mode, Tailscale's rules exist but are not referenced. You must manually configure your firewall to direct traffic through Tailscale's rules. With iptables, this means adding jump rules to the built-in chains. With nftables, this means registering Tailscale's chains at the appropriate hooks.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/netfilter-modes#off\"><code>off</code></a></h3>\n<p>Use the <code>off</code> mode to prevent Tailscale from making any changes to netfilter. There's usually not a good reason to set the netfilter mode to <code>off</code>. When using this mode, Tailscale makes no changes to <code>iptables</code> or <code>nftables</code>. You must write all required firewall rules yourself, including the rules that Tailscale would normally create in its chains.</p>\n<p>Only use <code>off</code> mode if you have a specific requirement that <code>nodivert</code> cannot address. With netfilter mode set to <code>off</code>, you are responsible for:</p>\n<ul>\n<li>Accepting traffic on the <code>tailscale0</code> interface.</li>\n<li>Accepting UDP traffic on Tailscale's listening port.</li>\n<li>Configuring NAT rules for subnet routing and exit node functionality.</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}