How to prevent iptables and nftables rules from running simultaneously?
Solution 1
For the question per se, these are the last two questions from the original post:
- How can I reliably use nft without iptables rules interference?
- Or should I simply use iptables and remove nft?
this is what the nftables wiki says:
What happens when you mix Iptables and Nftables?
How do they interact?
nft Empty Accept Accept Block Blank
iptables Empty Empty Block Accept Accept
Results Pass Pass Unreachable Unreachable Pass
So one should not worry that some traffic will be allowed because it was allowed in one tool, while forbidden in the other.
As for those iptables rules, as I asked, "after a system reboot iptables chains have some rules, which I didn't set (and I have no idea where they come from)", they turned out to come from the libvirtd.service
, which I disabled, since I don't need it. But it wouldn't have hurt even if I had not.
Solution 2
I'm not sure this is the best way, but to stop iptables from reloading after boot what I did was
rm /etc/sysconfig/iptables-config
rm /etc/sysconfig/ip6tables-config
systemctl disable firewalld
As for your questions at the bottom I haven't personally used nftables but to see if they are in effect at the same time you could set one to, for example drop everything and have the other wide open. Repeat on both sides and if a ping doesn't work either way that would mean they are both active.
The second question I believe is answered from the commands posted. The third question, is kind of opinion based. Do which ever you find is easier to learn and work with.
Related videos on Youtube
Dmitry Koroliov
Updated on September 18, 2022Comments
-
Dmitry Koroliov over 1 year
I'm trying to set up a firewall on my own desktop (currently I'm tinkering with a Fedora 29 virtual machine). I would like to have it on the "deny-everything-by-default" basis. Almost immediately I decided to disable and mask the
firewalld.service
, sincefirewalld
had no way to drop the outgoing packets, except by using the nativeiptables
syntax. So I decided to resort tonftables
, since it's the modern replacement for the former.The problem is that after a system reboot
iptables
chains have some rules, which I didn't set (and I have no idea where they come from). On the other hand# nft list ruleset
returns nothing. So I assume, that rules fromiptables
andnft
will be enabled simultaneously and when I set up somenft
rules, rules fromiptables
, which can appear from "nowhere", will be able to meddle.I tried to remove
iptables
, butdnf
refused to do so and warned thatsystemd
depends on it.So could anyone answer a couple of my questions here, please?
- Do I understand the concepts here correctly (that
iptables
rules and chains are separate fromnft
ones, and that they both are in effect at the same time)? - How can I reliably use
nft
withoutiptables
rules interference? - Or should I simply use
iptables
and removenft
?
- Do I understand the concepts here correctly (that
-
Dmitry Koroliov about 5 yearssorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway
-
notsoslimshady about 5 yearsOdd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X
-
Dmitry Koroliov about 5 yearsno, actually I tried to install
iptables-persistent
but dnf said that nothing matched the name. Then I trieddnf provides iptables-persistent
and found nothing again -
einpoklum over 2 yearsThis is Fedora-only, right?