Results 1 to 9 of 9

Thread: iptables and nftables

  1. #1
    Join Date
    Apr 2016
    Location
    Cambridge, UK
    Posts
    256

    Default iptables and nftables

    Just seen a post where @arvidjaar says that Leap 15.3 has moved firewalld to using nftables as opposed to iptables.

    I am using fail2ban which uses iptables alongside firewalld which now uses nftables (verified by listing the iptable rules) so in theory may have both iptables and nftables active at the same time. Is this possible? Or has the move to nftables meant that iptables is not active any more?

    If this is the case can I move firewalld back to using iptables as the backend. The reason for this is that I have customised fail2ban to lookup and ban complete subnets that try and get into my mail server.

    Thanks


  2. #2
    Join Date
    Sep 2012
    Posts
    6,835

    Default Re: iptables and nftables

    Quote Originally Posted by JulinaB View Post
    both iptables and nftables active at the same time. Is this possible?
    It is possible but packet must be allowed by both to be accepted for further processing. You can only additionally block something that is allowed by main firewalld rules, you cannot allow something that is blocked by main firewalld rules.
    If this is the case can I move firewalld back to using iptables as the backend.
    If this is the question, check /etc/firewalld/firewalld.conf and "man firewalld.conf".

  3. #3
    Join Date
    Apr 2016
    Location
    Cambridge, UK
    Posts
    256

    Default Re: iptables and nftables

    Quote Originally Posted by arvidjaar View Post
    It is possible but packet must be allowed by both to be accepted for further processing. You can only additionally block something that is allowed by main firewalld rules, you cannot allow something that is blocked by main firewalld rules.
    OK, that's makes perfect sense and as both are acting to block packet transmission in my case they will work together perfectly.

    Thanks for a nice clear response.

  4. #4
    Join Date
    Apr 2016
    Location
    Cambridge, UK
    Posts
    256

    Default Re: iptables and nftables

    How can I tell if iptables is active? I tried to get the status of iptables.service but it failed despite being listed at the command prompt:

    Code:
    Cumulus:~ # systemctl status ip
    ip6tables.service  ipmi.service       ipmievd.service    ipsec.service      ipset.service      iptables.service   
    Cumulus:~ # systemctl status iptables.service 
    Unit iptables.service could not be found.
    Cumulus:~ #

  5. #5
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,239

    Default Re: iptables and nftables

    I guess you got that list by using "completion" (hitting TAB).

    I then guess that this depends on a list provided by the designers of the systemctl command and that the list contains all possibilities, even if there is not unit file available.

    As said, just guesses.
    Henk van Velden

  6. #6
    Join Date
    Jan 2018
    Location
    Canada
    Posts
    188

    Default Re: iptables and nftables

    If I remember correctly, the following command will not work if iptables is not running:

    Code:
    /usr/sbin/iptables -S
    Also, if you are using firewalld I believe you have to select one or the other. I have tried a couple of times to switch to nftables and couldn't get fail2ban to work satisfactorily. There are a few methods using google search that show what needs to be done, but none worked for me. Also, docker doesn't particularly work well with nftables and any containers depending on iptables won't work either.

  7. #7
    Join Date
    Sep 2012
    Posts
    6,835

    Default Re: iptables and nftables

    Quote Originally Posted by doscott View Post
    If I remember correctly, the following command will not work if iptables is not running:
    Before it goes too far - iptables is kernel subsystem. It is "running" when corresponding kernel module is loaded. There is no user space process that need to be constantly present.
    Code:
    /usr/sbin/iptables -S
    The only case when this command fails is when ip_tables kernel module could not be loaded which is rather unlikely. Of course it will also fail if /usr/sbin/iptables command is not present at all, but it still is rather different from "iptables is not running".

  8. #8
    Join Date
    Jun 2011
    Location
    Germany
    Posts
    466

    Default Re: iptables and nftables

    Quote Originally Posted by arvidjaar View Post
    Before it goes too far - iptables is kernel subsystem. It is "running" when corresponding kernel module is loaded. There is no user space process that need to be constantly present.

    The only case when this command fails is when ip_tables kernel module could not be loaded which is rather unlikely. Of course it will also fail if /usr/sbin/iptables command is not present at all, but it still is rather different from "iptables is not running".
    In that case, I'd go for
    Code:
    ~> lsmod | grep ip_tables
    But I'm sure JulinaB knows that. FWIW, I don't have iptables running. Still, I get this:
    Code:
    ~ # iptables -S 
    -P INPUT ACCEPT 
    -P FORWARD ACCEPT 
    -P OUTPUT ACCEPT

  9. #9
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    4,401

    Default Re: iptables and nftables

    Quote Originally Posted by JulinaB View Post
    How can I tell if iptables is active?
    iptables” is processed by the Linux Kernel as a “kworker” task.
    • The parent process is “kthreadd” – process ID ‘2’.

    Use “pstree” to inspect which “kworker” tasks are executing – “pstree 2 -l -p” – or, the equivalent “ps” commands.
    • “top” can also be used to inspect “kworker” tasks.


    AFAICS, “nftables” is different – the “nft list” commands can be used to inspect the current active chains, tables, sets, maps, flowtables and rulesets.
    • “nft monitor” will listen to the current events.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •