diff --git a/package/gluon-core/Makefile b/package/gluon-core/Makefile
index 93b2d599..2c693298 100644
--- a/package/gluon-core/Makefile
+++ b/package/gluon-core/Makefile
@@ -11,7 +11,7 @@ define Package/gluon-core
   TITLE:=Base files of Gluon
   DEPENDS:= \
 	+gluon-site +libgluonutil +libiwinfo-lua +lua-platform-info +lua-simple-uci +lua-hash +lua-jsonc \
-	+luabitop +luaposix +vxlan +odhcp6c +firewall +pretty-hostname
+	+luabitop +luaposix +vxlan +odhcp6c +firewall4 +pretty-hostname
 endef
 
 define Package/gluon-core/description
diff --git a/package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c b/package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c
index 93940a3c..71d31440 100644
--- a/package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c
+++ b/package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c
@@ -14,7 +14,7 @@
 
 #define BATCTL_DC "/usr/sbin/batctl dc -H -n"
 #define BATCTL_TL "/usr/sbin/batctl tl -H -n"
-#define EBTABLES "/usr/sbin/ebtables-tiny"
+#define EBTABLES "/usr/sbin/ebtables"
 
 #define BUILD_BUG_ON(check) ((void)sizeof(int[1-2*!!(check)]))
 
diff --git a/package/gluon-ebtables/Makefile b/package/gluon-ebtables/Makefile
index e69a83bf..145b1b26 100644
--- a/package/gluon-ebtables/Makefile
+++ b/package/gluon-ebtables/Makefile
@@ -6,8 +6,7 @@ include ../gluon.mk
 
 define Package/gluon-ebtables
   TITLE:=Ebtables support
-  DEPENDS:=+gluon-core +ebtables-tiny \
-	+kmod-ebtables +kmod-ebtables-ipv4 +kmod-ebtables-ipv6
+  DEPENDS:=+gluon-core +ebtables-nft
 endef
 
 define Package/gluon-ebtables/description
diff --git a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
index 60add180..243b8cb5 100755
--- a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
+++ b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
@@ -51,8 +51,8 @@ exec_all() {
 
 start() {
 	(
-		export EBTABLES_RULE='"ebtables-tiny -t " .. table .. " -A " .. command'
-		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. "  -N " .. name .. " -P " .. policy'
+		export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command'
+		export EBTABLES_CHAIN='"ebtables -t " .. table .. "  -N " .. name .. " -P " .. policy'
 
 		# Contains /var/lib/ebtables/lock for '--concurrent'
 		[ ! -d "/var/lib/ebtables" ] && \
@@ -68,8 +68,8 @@ start() {
 
 stop() {
 	(
-		export EBTABLES_RULE='"ebtables-tiny -t " ..	table .. " -D " .. command'
-		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. " -X " .. name'
+		export EBTABLES_RULE='"ebtables -t " ..	table .. " -D " .. command'
+		export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name'
 
 		if [ -z "$1" ]; then
 			exec_all '-r'
diff --git a/package/gluon-iptables-clamp-mss-to-pmtu/Makefile b/package/gluon-iptables-clamp-mss-to-pmtu/Makefile
index d5d91443..4a1f334f 100644
--- a/package/gluon-iptables-clamp-mss-to-pmtu/Makefile
+++ b/package/gluon-iptables-clamp-mss-to-pmtu/Makefile
@@ -6,7 +6,6 @@ include ../gluon.mk
 
 define Package/$(PKG_NAME)
   TITLE:=This will establish a firewall rule to clamp the mss to pmtu on the mesh-vpn interface when the connection is towards 64:ff9b::/96
-  DEPENDS:= +ip6tables-zz-legacy
 endef
 
 define Package/$(PKG_NAME)/description
diff --git a/package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/iptables-mss.rules b/package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/iptables-mss.rules
deleted file mode 100644
index a61a900d..00000000
--- a/package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/iptables-mss.rules
+++ /dev/null
@@ -1,3 +0,0 @@
-*mangle
--A FORWARD -o mesh-vpn+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-COMMIT
diff --git a/package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/nftables-mss.rules b/package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/nftables-mss.rules
new file mode 100644
index 00000000..bbc6d21a
--- /dev/null
+++ b/package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/nftables-mss.rules
@@ -0,0 +1 @@
+oifname "mesh-vpn*" tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
diff --git a/package/gluon-iptables-clamp-mss-to-pmtu/luasrc/lib/gluon/upgrade/800-iptables-mesh-vpn-clamp-mss-to-pmtu b/package/gluon-iptables-clamp-mss-to-pmtu/luasrc/lib/gluon/upgrade/800-iptables-mesh-vpn-clamp-mss-to-pmtu
index 961a063e..48b24275 100755
--- a/package/gluon-iptables-clamp-mss-to-pmtu/luasrc/lib/gluon/upgrade/800-iptables-mesh-vpn-clamp-mss-to-pmtu
+++ b/package/gluon-iptables-clamp-mss-to-pmtu/luasrc/lib/gluon/upgrade/800-iptables-mesh-vpn-clamp-mss-to-pmtu
@@ -2,9 +2,10 @@
 
 local uci = require('simple-uci').cursor()
 uci:section('firewall', 'include', 'vpn_clamp_mss', {
-	family = 'ipv6',
-	type = 'restore',
-	path = '/lib/gluon/mesh-vpn/iptables-mss.rules'
+	type = 'nftables',
+	position = 'chain-prepend',
+	chain = 'mangle_forward',
+	path = '/lib/gluon/mesh-vpn/nftables-mss.rules',
 })
 
 uci:save('firewall')
diff --git a/package/gluon-mesh-babel/Makefile b/package/gluon-mesh-babel/Makefile
index 239d7132..c3d83196 100644
--- a/package/gluon-mesh-babel/Makefile
+++ b/package/gluon-mesh-babel/Makefile
@@ -9,7 +9,7 @@ include ../gluon.mk
 
 define Package/gluon-mesh-babel
   TITLE:=Babel mesh
-  DEPENDS:=+gluon-core +babeld +gluon-mesh-layer3-common +libiwinfo +libgluonutil +firewall +libjson-c +libnl-tiny +libubus +libubox +libblobmsg-json +libbabelhelper +luabitop
+  DEPENDS:=+gluon-core +babeld +gluon-mesh-layer3-common +libiwinfo +libgluonutil +firewall4 +libjson-c +libnl-tiny +libubus +libubox +libblobmsg-json +libbabelhelper +luabitop
   PROVIDES:=gluon-mesh-provider
 endef
 
diff --git a/package/gluon-mesh-batman-adv/Makefile b/package/gluon-mesh-batman-adv/Makefile
index aac41f1b..622f0577 100644
--- a/package/gluon-mesh-batman-adv/Makefile
+++ b/package/gluon-mesh-batman-adv/Makefile
@@ -13,7 +13,7 @@ define Package/gluon-mesh-batman-adv-15
 	+libgluonutil \
 	+gluon-client-bridge \
 	+gluon-ebtables \
-	+firewall \
+	+firewall4 \
 	+libiwinfo \
 	+kmod-dummy \
 	+libnl-tiny \
diff --git a/package/gluon-mesh-layer3-common/Makefile b/package/gluon-mesh-layer3-common/Makefile
index 45ad2f57..a41bf84f 100644
--- a/package/gluon-mesh-layer3-common/Makefile
+++ b/package/gluon-mesh-layer3-common/Makefile
@@ -6,7 +6,7 @@ include ../gluon.mk
 
 define Package/gluon-mesh-layer3-common
   TITLE:=Layer3 common files
-  DEPENDS:=+gluon-core +gluon-mmfd +firewall
+  DEPENDS:=+gluon-core +gluon-mmfd +firewall4
 endef
 
 $(eval $(call BuildPackageGluon,gluon-mesh-layer3-common))
diff --git a/package/gluon-mesh-vpn-core/Makefile b/package/gluon-mesh-vpn-core/Makefile
index 2111c7ce..64f0e65b 100644
--- a/package/gluon-mesh-vpn-core/Makefile
+++ b/package/gluon-mesh-vpn-core/Makefile
@@ -6,7 +6,7 @@ include ../gluon.mk
 
 define Package/gluon-mesh-vpn-core
   TITLE:=Basic support for connecting meshes via VPN tunnels
-  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +iptables-zz-legacy +iptables-mod-extra +simple-tc
+  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +simple-tc
   USERID:=:gluon-mesh-vpn=800
 endef
 
diff --git a/package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/iptables.rules b/package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/iptables.rules
deleted file mode 100644
index 771fb40c..00000000
--- a/package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/iptables.rules
+++ /dev/null
@@ -1,3 +0,0 @@
-*nat
--I OUTPUT -m owner --gid-owner gluon-mesh-vpn -o lo -d 127.0.0.1 -p udp --dport 53 -j DNAT --to-destination :54
-COMMIT
diff --git a/package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/nftables.rules b/package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/nftables.rules
new file mode 100644
index 00000000..cd26ec31
--- /dev/null
+++ b/package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/nftables.rules
@@ -0,0 +1 @@
+meta skgid gluon-mesh-vpn oifname "lo" ip daddr 127.0.0.1 udp dport 53 redirect to 54
diff --git a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn
index b1495255..0cf971a0 100755
--- a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn
+++ b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn
@@ -26,9 +26,10 @@ users.remove_user('gluon-fastd')
 users.remove_group('gluon-fastd')
 
 uci:section('firewall', 'include', 'mesh_vpn_dns', {
-	type = 'restore',
-	path = '/lib/gluon/mesh-vpn/iptables.rules',
-	family = 'ipv4',
+	type = 'nftables',
+	path = '/lib/gluon/mesh-vpn/nftables.rules',
+	position = 'chain-prepend',
+	chain = 'dstnat',
 })
 
 uci:save('firewall')
diff --git a/package/gluon-radv-filterd/src/gluon-radv-filterd.c b/package/gluon-radv-filterd/src/gluon-radv-filterd.c
index f9f8fb87..fd77fcea 100644
--- a/package/gluon-radv-filterd/src/gluon-radv-filterd.c
+++ b/package/gluon-radv-filterd/src/gluon-radv-filterd.c
@@ -149,12 +149,12 @@ static void cleanup(void) {
 
 	if (G.chain) {
 		/* Reset chain to accept everything again */
-		if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[])
-				{ "ebtables-tiny", "-F", G.chain, NULL }))
+		if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
+				{ "ebtables", "-F", G.chain, NULL }))
 			DEBUG_MSG("warning: flushing ebtables chain %s failed, not adding a new rule", G.chain);
 
-		if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[])
-				{ "ebtables-tiny", "-A", G.chain, "-j", "ACCEPT", NULL }))
+		if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
+				{ "ebtables", "-A", G.chain, "-j", "ACCEPT", NULL }))
 			DEBUG_MSG("warning: adding new rule to ebtables chain %s failed", G.chain);
 	}
 }
@@ -700,11 +700,11 @@ static void update_ebtables(void) {
 			G.max_tq);
 	G.best_router = router;
 
-	if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[])
-			{ "ebtables-tiny", "-F", G.chain, NULL }))
+	if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
+			{ "ebtables", "-F", G.chain, NULL }))
 		error_message(0, 0, "warning: flushing ebtables chain %s failed, not adding a new rule", G.chain);
-	else if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[])
-			{ "ebtables-tiny", "-A", G.chain, "-s", mac, "-j", "ACCEPT", NULL }))
+	else if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
+			{ "ebtables", "-A", G.chain, "-s", mac, "-j", "ACCEPT", NULL }))
 		error_message(0, 0, "warning: adding new rule to ebtables chain %s failed", G.chain);
 }
 
diff --git a/package/gluon-radv-filterd/src/respondd.c b/package/gluon-radv-filterd/src/respondd.c
index 8c2c7eb4..d81c5ca5 100644
--- a/package/gluon-radv-filterd/src/respondd.c
+++ b/package/gluon-radv-filterd/src/respondd.c
@@ -8,7 +8,7 @@
 #include "mac.h"
 
 static struct json_object * get_radv_filter() {
-	FILE *f = popen("exec ebtables-tiny -L RADV_FILTER", "r");
+	FILE *f = popen("exec ebtables -L RADV_FILTER", "r");
 	char *line = NULL;
 	size_t len = 0;
 	struct ether_addr mac = {};
diff --git a/targets/generic b/targets/generic
index 20111220..b9e99568 100644
--- a/targets/generic
+++ b/targets/generic
@@ -97,14 +97,18 @@ packages {
 	'-kmod-nft-offload',
 	'-libustream-wolfssl',
 	'-libwolfssl',
-	'-nftables',
 	'-odhcpd-ipv6only',
 	'-ppp',
 	'-ppp-mod-pppoe',
 	'-wpad-mini',
 	'-wpad-basic',
 	'-wpad-basic-wolfssl',
-	'-firewall4',
 	'gluon-core',
-	'ip6tables-zz-legacy',
+	'-iptables',
+	'-nftables',
+	'nftables-json',
+	'-xtables-legacy',
+	'ip6tables-nft',
+	'iptables-nft',
+	'-kmod-ipt-core',
 }