Warning: iptables-legacy tables present
As the error messages says, it's because the legacy (non-netfilter) iptables subsystem is present. The most common cause is that the iptables-legacy command is called, which loads the legacy modules.
There are 5 modules related to legacy iptables, one for each table. (Note: The module names begin with iptable_, no S here)
iptable_filter
iptable_nat
iptable_mangle
iptable_raw
iptable_security
When ANY of them is loaded, iptables-nft decides that the legacy iptables is present, and emits the said warning.
Similarly, there are 5 more modules for legacy IPv6 iptables, each beginning with ip6table_ (no S here, too).
After migrating to netfilter, those 10 modules can be safely removed with rmmod and blacklisted.
Note again that using blacklist iptable_filter doesn't work here because this directive only prevents automatic loading, but not manual loading via modprobe(8) or another command. This solution using install <modulename> /bin/false should correctly prevent the module from loading under any circumstances.
Related videos on Youtube
11 : 09
![IPTABLES [PART-1] : "UNDERSTANDING THE CONCEPT"](https://i.ytimg.com/vi/vbhr4csDeI4/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBovKYd5heeT0eQFP4enqBJ_GCa1Q)
07 : 53
09 : 13
31 : 02
10 : 35
Comments
-
iBug over 1 year
I have migrated my Ubuntu Focal server firewall backend from legacy iptables to netfilter, by running
update-alternatives --set iptables /usr/sbin/iptables-nftand rebooting the server. Now all tables shown iniptables-legacy -Sare empty, but when I runiptables -Sthe last line always says:# Warning: iptables-legacy tables present, use iptables-legacy to see themI have since removed
iptables-legacyfrom alternatives using the following command:update-alternatives --remove iptables /usr/sbin/iptables-legacyAnd now only the netfilter version is shown
root@iBug-Server:~# update-alternatives --display iptables iptables - auto mode link best version is /usr/sbin/iptables-nft link currently points to /usr/sbin/iptables-nft link iptables is /usr/sbin/iptables slave iptables-restore is /usr/sbin/iptables-restore slave iptables-save is /usr/sbin/iptables-save /usr/sbin/iptables-nft - priority 20 slave iptables-restore: /usr/sbin/iptables-nft-restore slave iptables-save: /usr/sbin/iptables-nft-saveHow can I get rid of this warning?
-
Doug Smythies over 3 yearsPlease edit your question adding the output forsudo update-alternatives --display iptables. -
iBug over 3 years@DougSmythies Done.
-
Soren A over 3 yearsAs I understaqnd the warning, it says that you have to run
iptables-legacycommand to see what rules are in legacy format. Then you can convert them to netfilter format. -
iBug over 3 years@SorenA My legacy table are all empty, with no rules, no custom chains, and all default chains having policy
ACCEPT -
Doug Smythies over 3 yearsWell, my
--displayoutput is pretty much the same (I seem to have apriority 10area, related toiptables-legacy, which I guess you removed). I run a very complicated iptables rule set and have not seen your warning. Note: my iptables rule set is loaded via bash script, I don't use iptables-persistent or iptables-save. I have another server, but it is still set to legacy.
-
