How to prevent iptables and nftables rules from running simultaneously?

fedora iptables firewall nftables
5,971

Solution 1

For the question per se, these are the last two questions from the original post:

  • How can I reliably use nft without iptables rules interference?
  • Or should I simply use iptables and remove nft?

this is what the nftables wiki says:

What happens when you mix Iptables and Nftables?
How do they interact?

nft       Empty     Accept  Accept      Block        Blank
iptables  Empty     Empty   Block       Accept       Accept
Results   Pass      Pass    Unreachable Unreachable  Pass

So one should not worry that some traffic will be allowed because it was allowed in one tool, while forbidden in the other.

As for those iptables rules, as I asked, "after a system reboot iptables chains have some rules, which I didn't set (and I have no idea where they come from)", they turned out to come from the libvirtd.service, which I disabled, since I don't need it. But it wouldn't have hurt even if I had not.

Solution 2

I'm not sure this is the best way, but to stop iptables from reloading after boot what I did was

  rm /etc/sysconfig/iptables-config
  rm /etc/sysconfig/ip6tables-config
  systemctl disable firewalld

As for your questions at the bottom I haven't personally used nftables but to see if they are in effect at the same time you could set one to, for example drop everything and have the other wide open. Repeat on both sides and if a ping doesn't work either way that would mean they are both active.

The second question I believe is answered from the commands posted. The third question, is kind of opinion based. Do which ever you find is easier to learn and work with.

Share:
5,971

Related videos on Youtube

Dmitry Koroliov
Author by

Dmitry Koroliov

Updated on September 18, 2022

Comments

  • Dmitry Koroliov
    Dmitry Koroliov over 1 year

    I'm trying to set up a firewall on my own desktop (currently I'm tinkering with a Fedora 29 virtual machine). I would like to have it on the "deny-everything-by-default" basis. Almost immediately I decided to disable and mask the firewalld.service, since firewalld had no way to drop the outgoing packets, except by using the native iptables syntax. So I decided to resort to nftables, since it's the modern replacement for the former.

    The problem is that after a system reboot iptables chains have some rules, which I didn't set (and I have no idea where they come from). On the other hand # nft list ruleset returns nothing. So I assume, that rules from iptables and nft will be enabled simultaneously and when I set up some nft rules, rules from iptables, which can appear from "nowhere", will be able to meddle.

    I tried to remove iptables, but dnf refused to do so and warned that systemd depends on it.

    So could anyone answer a couple of my questions here, please?

    • Do I understand the concepts here correctly (that iptables rules and chains are separate from nft ones, and that they both are in effect at the same time)?
    • How can I reliably use nft without iptables rules interference?
    • Or should I simply use iptables and remove nft?
  • Dmitry Koroliov
    Dmitry Koroliov about 5 years
    sorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway
  • notsoslimshady
    notsoslimshady about 5 years
    Odd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X
  • Dmitry Koroliov
    Dmitry Koroliov about 5 years
    no, actually I tried to install iptables-persistent but dnf said that nothing matched the name. Then I tried dnf provides iptables-persistent and found nothing again
  • einpoklum
    einpoklum over 2 years
    This is Fedora-only, right?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Warning: iptables-legacy tables present
Problems setting up TigerVNC and firewall
How to define port range in nftables
Debian 10: How can I disable nftables and continue to use IPTables only?
How to properly log and view nftables activity?
Docker Firewalld/iptables WARNING: COMMAND_FAILED
add rule to firewalld in Centos7 to allow all traffic from a server
ubuntu iptables NAT & Router & Port Forwarding
How can I allow ssh connection from an IP subnet on port 10022 using iptables?
Correct way to masquerade IP in iptables