User avatar
maximumwarp
Posts: 40
Joined: Thu Oct 10, 2013 8:03 pm

Is been iptables substituted by nftables in Rasbpian Buster?

Mon Jul 01, 2019 8:03 am

Hello,
on day one I bought a Pi 4 to use as home mail and web server. I would like configure a firewall with iptables but during some tests I noted all rules I write in /etc/iptables.firewall.rules are ignored. Is it only a my mistake in configuring iptables or it has been substituted by nftables in latest Raspbian version (like in Debian 10 Buster)?
Non è la fame ma è l'ignoranza che uccide.

User avatar
rpdom
Posts: 17416
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Is been iptables substituted by nftables in Rasbpian Buster?

Mon Jul 01, 2019 8:56 am

Raspbian Buster, which you are using on the Pi 4B, uses most of the same software as Debian Buster, so that would be a "yes".

Guess I'm going to have to learn how to use nftables now ;)
Unreadable squiggle

liderbug
Posts: 189
Joined: Sat Oct 08, 2011 4:47 pm

Re: Is been iptables substituted by nftables in Rasbpian Buster?

Sun Jul 07, 2019 1:55 am

OK, find, grep, cut, etc... the example workstation.ntf and added 8088 and 8081 then:
nft -f /etc/nftables.conf and a reboot

# nft list ruleset | wc
401 2386 16107

# nft list ruleset | grep 8088 (grepping for just ' 80 ' returns same four lines)
meta l4proto tcp tcp dport 8088 counter packets 18 bytes 1080 accept
meta l4proto udp udp dport 8088 counter packets 0 bytes 0 accept
meta l4proto tcp tcp dport 8088 counter packets 0 bytes 0 accept
meta l4proto udp udp dport 8088 counter packets 0 bytes 0 accept

http://http://192.168.0.56/

 Apache2 Debian Default Page
This is the default welcome page used to test the correct opera... yada yada yada...

http://http://192.168.0.56:8088/
This site can’t be reached
192.168.0.56 refused to connect.

My nft looks to be correct (a lot I know) - I'm wondering if this is a firewall issue or something else? Nmap doesn't even show port 80 or 22 although they work - curl 80 & 22 work curl 8088 refuses to connect.
<frustrated>

fruitoftheloom
Posts: 23832
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Is been iptables substituted by nftables in Rasbpian Buster?

Sun Jul 07, 2019 5:20 am

Rather than negativity think outside the box !
RPi 4B 4GB (SSD Boot) RaspiOS64 ARM64
Asus ChromeBox 3 Celeron is my other computer...

User avatar
DougieLawson
Posts: 39551
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Is been iptables substituted by nftables in Rasbpian Buster?

Sun Jul 07, 2019 6:00 am

This is FUD.

iptables and ip6tables are still there, still work and UFW still uses them.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

incognitum
Posts: 503
Joined: Tue Oct 30, 2018 3:34 pm

Re: Is been iptables substituted by nftables in Rasbpian Buster?

Sun Jul 07, 2019 9:12 am

DougieLawson wrote:
Sun Jul 07, 2019 6:00 am
iptables and ip6tables are still there
They are now a frontend to nft though.
So better use nft directly.
maximumwarp wrote:
Mon Jul 01, 2019 8:03 am
but during some tests I noted all rules I write in /etc/iptables.firewall.rules are ignored.
If you want any iptables/nft rules loaded on startup you need to write your own startup script for that.
Don’t think it ever loaded anything from a file out-of-the-box.

User avatar
DougieLawson
Posts: 39551
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Is been iptables substituted by nftables in Rasbpian Buster?

Sun Jul 07, 2019 9:21 am

incognitum wrote:
Sun Jul 07, 2019 9:12 am
DougieLawson wrote:
Sun Jul 07, 2019 6:00 am
iptables and ip6tables are still there
They are now a frontend to nft though.
So better use nft directly.
maximumwarp wrote:
Mon Jul 01, 2019 8:03 am
but during some tests I noted all rules I write in /etc/iptables.firewall.rules are ignored.
If you want any iptables/nft rules loaded on startup you need to write your own startup script for that.
Don’t think it ever loaded anything from a file out-of-the-box.
Why change the syntactical pain of a lifetime :mrgreen: :?: I'll stick with iptables (which I drive with fail2ban and ufw because it's so darned ugly).
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

liderbug
Posts: 189
Joined: Sat Oct 08, 2011 4:47 pm

Re: Is been iptables substituted by nftables in Rasbpian Buster?

Tue Jul 09, 2019 12:32 am

> iptables and ufw are still there. I see that but I can not figure out how to open port 22 (or any others). Can someone post a few simple steps on how to open a port on a machine loaded with nftables.
thanks

liderbug
Posts: 189
Joined: Sat Oct 08, 2011 4:47 pm

Re: Is been iptables substituted by nftables in Rasbpian Buster?

Tue Jul 09, 2019 9:09 pm

SOLVED :D :D :D :D

Stumbling around the net I came across this:

Code: Select all

dnf remove openssh-clients openssh-server
dnf install openssh-clients openssh-server
systemctl restart sshd
and it's working like it should. So, I'm guessing that the buster-IMG build was created with the firewall enabled in lockdown mode.

Return to “Advanced users”