Debian 10 iptables migration

If none of the more specific forums is the right place to ask

Debian 10 iptables migration

Postby schnappi » 2019-07-24 16:47

Hi,

Used iptables-persistent to keep iptables rules between reboots on Debian 9. Just upgraded to Debian 10. The iptables-persistent ruleset appears to still be working. So apparently an upgrades from Debian 9 to Debian 10 does NOT automatically move from iptables to nftable(s)?
schnappi
 
Posts: 7
Joined: 2017-07-27 17:28

Re: Debian 10 iptables migration

Postby Head_on_a_Stick » 2019-07-24 16:50

schnappi wrote:So apparently an upgrades from Debian 9 to Debian 10 does NOT automatically move from iptables to nftable(s)?

The backend might be different.

Check
Code: Select all
# update-alternatives --config iptables

https://www.debian.org/releases/buster/ ... l#nftables
User avatar
Head_on_a_Stick
 
Posts: 10346
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Debian 10 iptables migration

Postby schnappi » 2019-07-25 12:38

What will running the above code do? Think it is good practice to understand any command that run.
schnappi
 
Posts: 7
Joined: 2017-07-27 17:28

Re: Debian 10 iptables migration

Postby reinob » 2019-07-25 13:29

schnappi wrote:What will running the above code do? Think it is good practice to understand any command that run.


If you click on the link you'll learn :)

Basically with buster you can have the command "iptables" be an alias for "iptables-legacy", or for "iptables-nft".
With the former you use the x_tables kernel interface and with the latter the (newer) nf_tables.

I have a stretch server which I still have not upgrated to buster, as one of the things I wanted to do before that was to migrate from iptables to (native) nftables. This has taken a bit of work (had also to adapt fail2ban, various ipsets needed to be converted to nft named sets, etc.) but has worked OK.

During the migration I noticed that you could add nft rules even though the iptables rules were active (it was a live server and didn't want to disable iptables until I could reboot). Apparently both subsystems work in parallel (or rather, in series), as packets only pass if BOTH iptables and nftables allow it (didn't test extensively though as I just wanted to replace one with the other as quickly as possible).

Short story: I recommend learning the nftables syntax and using it exclusively. You put your rules in /etc/nftables.conf and apt-get remove iptables* and enjoy a "modern" system :)
reinob
 
Posts: 699
Joined: 2014-06-30 11:42

Re: Debian 10 iptables migration

Postby Head_on_a_Stick » 2019-07-25 15:43

schnappi wrote:Think it is good practice to understand any command that run.

Code: Select all
man update-alternatives
User avatar
Head_on_a_Stick
 
Posts: 10346
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Debian 10 iptables migration

Postby theblueplll » 2019-07-25 18:27

reinob wrote: Apparently both subsystems work in parallel (or rather, in series), as packets only pass if BOTH iptables and nftables allow it


This explains a problem I was having yesterday.

I would explain it but I don't fully understand what I was doing.

Regardless it was on a machine I use to learn and experiment with and not my main machine that I use everyday.
theblueplll
 
Posts: 154
Joined: 2019-04-29 01:17


Return to General Questions

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable