iptables and nftables

JulinaB · September 27, 2021, 10:36am

Just seen a post where @arvidjaar** s**ays that Leap 15.3 has moved firewalld to using nftables as opposed to iptables.

I am using fail2ban which uses iptables alongside firewalld which now uses nftables (verified by listing the iptable rules) so in theory may have both iptables and nftables active at the same time. Is this possible? Or has the move to nftables meant that iptables is not active any more?

If this is the case can I move firewalld back to using iptables as the backend. The reason for this is that I have customised fail2ban to lookup and ban complete subnets that try and get into my mail server.

Thanks

arvidjaar · September 27, 2021, 11:50am

It is possible but packet must be allowed by both to be accepted for further processing. You can only additionally block something that is allowed by main firewalld rules, you cannot allow something that is blocked by main firewalld rules.

If this is the case can I move firewalld back to using iptables as the backend.

If this is the question, check /etc/firewalld/firewalld.conf and “man firewalld.conf”.

JulinaB · September 27, 2021, 2:31pm

OK, that’s makes perfect sense and as both are acting to block packet transmission in my case they will work together perfectly.

Thanks for a nice clear response.

JulinaB · September 27, 2021, 4:38pm

How can I tell if iptables is active? I tried to get the status of iptables.service but it failed despite being listed at the command prompt:

Cumulus:~ # systemctl status ip
ip6tables.service  ipmi.service       ipmievd.service    ipsec.service      ipset.service      iptables.service   
Cumulus:~ # systemctl status iptables.service 
Unit iptables.service could not be found.
Cumulus:~ #

hcvv · September 27, 2021, 4:48pm

I guess you got that list by using “completion” (hitting TAB).

I then guess that this depends on a list provided by the designers of the systemctl command and that the list contains all possibilities, even if there is not unit file available.

As said, just guesses.

doscott · September 28, 2021, 12:47am

If I remember correctly, the following command will not work if iptables is not running:

/usr/sbin/iptables -S

Also, if you are using firewalld I believe you have to select one or the other. I have tried a couple of times to switch to nftables and couldn’t get fail2ban to work satisfactorily. There are a few methods using google search that show what needs to be done, but none worked for me. Also, docker doesn’t particularly work well with nftables and any containers depending on iptables won’t work either.

arvidjaar · September 28, 2021, 7:37am

Before it goes too far - iptables is kernel subsystem. It is “running” when corresponding kernel module is loaded. There is no user space process that need to be constantly present.

/usr/sbin/iptables -S

The only case when this command fails is when ip_tables kernel module could not be loaded which is rather unlikely. Of course it will also fail if /usr/sbin/iptables command is not present at all, but it still is rather different from “iptables is not running”.

kasi042 · September 28, 2021, 11:09pm

In that case, I’d go for

~> lsmod | grep ip_tables

But I’m sure JulinaB knows that. FWIW, I don’t have iptables running. Still, I get this:

**~ #** iptables -S 
-P INPUT ACCEPT 
-P FORWARD ACCEPT 
-P OUTPUT ACCEPT

dcurtisfra · September 29, 2021, 4:13pm

“iptables” is processed by the Linux Kernel as a “kworker” task.

The parent process is “kthreadd
” – process ID ‘2’.

Use “pstree” to inspect which “kworker” tasks are executing – “pstree 2 -l -p” – or, the equivalent “ps” commands.

“top” can also be used to inspect “kworker” tasks.

[HR][/HR]AFAICS, “nftables” is different – the “nft list” commands can be used to inspect the current active chains, tables, sets, maps, flowtables and rulesets.

“nft monitor” will listen to the current events.