I've used simple iptables in the past, and I'm behind on Debian versions.
I have one test machine that was setup a year ago with Debian 9, and that has the "nft" command for nftables, my other machines are either on 6 or 7. I never took the time to dig into nftables and figure things out to move from iptables and start using Debian 9.
That all said, I downloaded Debian 10 and saw it mentioned that nftables was used, etc. But when I type "nft" anything it's always Command Not Found. Instead I type iptables, and then I get stuff...I understand I get that due to some mapping/translation that is going on.
So that leads me to my question...do I need to install the "nft" command on Debian 10? I'm reading through the below page and it keeps using the "nft" commands and examples.
https://wiki.debian.org/nftables
Yet I only get command not found on Debian 10. There is no subfolder for the nftables examples under "/usr/share/doc/nftables/examples/" there is no "nftables" folder. So I'm a bit confused.
On debian 9, there was "nft" and one could run "nft list ruleset" and get something. On Debian 10 "nft" is command not found, however I can do "iptables -L" or "iptables -S" and get some results...if I run "iptalbes -V" I get: iptables v1.8.2 (nf_tables)
So I'm confused...in Debian 9 you had "nft" but in 10 you have a translation interface of iptables-nft and you don't have "nft"?
I'm trying to learn nftables, but all the examples I find are all using the "nft" command...and it's not in 10 by default. Do I have to install the "nftables" package? Or is the iptables-nft interface supposed to make life easier to setup your nftables stuff...was the "nft" method more complex?
I just need some simple firewall rules...is that easier when using the new iptables-nft in 10 instead of the actual "nft" command like in 9?
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
nft command not found Debian 10 [SOLVED]
nft command not found Debian 10 [SOLVED]
Last edited by scott21 on 2019-07-09 15:19, edited 1 time in total.
-
GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: nft command not found Debian 10
Show us exactly how you are running the 'nft' command, use code boxes, and show the complete process you use. Also, what does 'man nft' show ? IE:
, if the manual is not there, then you need to install nftables.
For example, but your output may be different:
The manual does show:
Notice here, the difference:
Notice that when I used "su - ", the command is ok, just that since I have no ruleset, nothing shows.
When I use "su", "it says command not found" , also as a normal user , the command is not available. In any event , to help you we need to see what you actually did, not just some vague verbal description:
Code: Select all
$ man nft For example, but your output may be different:
Code: Select all
garry@debian:~$ nft list ruleset
-bash: nft: command not found
garry@debian:~$ man nft
garry@debian:~$
And here is the "magick", I do not have any ruleset to show , but the command works just fine:nft(8) nft(8)
NAME
nft - Administration tool of the nftables framework for packet filtering and classification
SYNOPSIS
nft [ -nNscae ] [ -I directory ] [ -f filename | -i | cmd ...]
nft -h
nft -v
DESCRIPTION
nft is the command line tool used to set up, maintain and inspect packet filtering and classifiction rules in the Linux kernel, in the nftables framework. The Linux kernel subsystem is known as nf_tables, and 'nf' stands for Netfilter.----snip---
Code: Select all
garry@debian:~$ su -
Password:
root@debian:~# nft list ruleset
root@debian:~# exit
logout
$ Code: Select all
garry@debian:~$ su
Password:
root@debian:/home/garry# nft list ruleset
bash: nft: command not found
root@debian:/home/garry# exit
exit
garry@debian:~$
When I use "su", "it says command not found" , also as a normal user , the command is not available. In any event , to help you we need to see what you actually did, not just some vague verbal description:
Show us, your terminal output, where you ran the command, who ran it, and how you ran it, etc.But when I type "nft" anything it's always Command Not Found. Instead I type iptables, and then I get stuff...I understand I get that due to some mapping/translation that is going on.
"What we expect you have already Done"
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
-
GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: nft command not found Debian 10
Here I added a rulset, so now I have one:
The nft command works fine, as long as the admin uses 'su -' correctly as they should.
I suppose "sudo" should work as well, I do not use it nor have it installed.
Code: Select all
garry@debian:~$ su -
Password:
root@debian:~# nft add table inet filter
root@debian:~# nft list ruleset
table inet filter {
}
root@debian:~# exit
logout
garry@debian:~$
I suppose "sudo" should work as well, I do not use it nor have it installed.
"What we expect you have already Done"
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
Re: nft command not found Debian 10
ok, will try the code box...see if I figure that out correctly.
that was with the regular "su", exited back to my regular account, then tried the "su -"
my v9 test box...with the regular "su"
Code: Select all
fosssc@e-buster:~$ su
Password:
root@e-buster:/# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
root@e-buster:/#
root@e-buster:/# uname -a
Linux e-buster 4.19.0-5-686-pae #1 SMP Debian 4.19.37-5 (2019-06-19) i686 GNU/Linux
root@e-buster:/#
root@e-buster:/# nft list ruleset
bash: nft: command not found
root@e-buster:/#
root@e-buster:/# man nft
No manual entry for nft
root@e-buster:/#
Code: Select all
fosssc@e-buster:~$ su -
Password:
root@e-buster:~# nft list ruleset
-bash: nft: command not found
root@e-buster:~#
my v9 test box...with the regular "su"
Code: Select all
root@www4:/# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.9 (stretch)
Release: 9.9
Codename: stretch
root@www4:/#
root@www4:/# uname -a
Linux www4 4.9.0-7-686-pae #1 SMP Debian 4.9.110-3+deb9u1 (2018-08-03) i686 GNU/Linux
root@www4:/#
root@www4:/# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
ct state established,related counter packets 16056925 bytes 8920190494 accept
icmp type { echo-request} counter packets 26765 bytes 1109291 accept
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
root@www4:/#
root@www4:/# nft -v
nftables v0.7 (Scrooge McDuck)
root@www4:/#
Re: nft command not found Debian 10
debian 10 was a fresh install of the i386 network install iso.
ran the updates, installed vmware tools, set a static ip, disabled ipv6 in sysctl.conf, then installed a couple packages...net-tools, whois, sendmail, and sudo (even though I normally don't use it).
that's why I was baffled when I get command not found when trying anything with "nft"...since it was there in version 9 I thought it would be there in 10 by default.
ran the updates, installed vmware tools, set a static ip, disabled ipv6 in sysctl.conf, then installed a couple packages...net-tools, whois, sendmail, and sudo (even though I normally don't use it).
that's why I was baffled when I get command not found when trying anything with "nft"...since it was there in version 9 I thought it would be there in 10 by default.
Re: nft command not found Debian 10
In debian 9, "nft" is located in /usr/sbin/ but it's not there in my install of 10.
Version 9
version 10
Version 9
Code: Select all
root@www4:/# ls /usr/sbin
a2disconf deluser iconvconfig phpenmod service update-default-wordlist
a2dismod dmidecode install-sgmlcatalog phpquery setvesablank update-dictcommon-aspell
a2dissite dpkg-preconfigure invoke-rc.d praliases slapacl update-dictcommon-hunspell
a2enconf dpkg-reconfigure ip6tables-apply purgestat slapadd update-grub
a2enmod e2freefrag iptables-apply pwck slapauth update-grub2
a2ensite e4crypt irqbalance pwconv slapcat update-inetd
a2query e4defrag ispell-autobuildhash pwunconv slapd update-initramfs
accessdb editmap laptop-detect readprofile slapdn update-locale
addgnupghome etrn ldattach remove-default-ispell slapindex update-mime
addgroup fdformat locale-gen remove-default-wordlist slappasswd update-passwd
add-shell filefrag logrotate remove-shell slapschema update-pciids
adduser genl mailstats rmt slaptest update-rc.d
apache2 groupadd makemap rmt-tar smbd update-xmlcatalog
apache2ctl groupdel make-ssl-cert rsyslogd split-logfile upgrade-from-grub-legacy
apachectl groupmems mkinitramfs rtcwake sshd useradd
applygnupgdefaults groupmod mklost+found runq tarcat userdel
arp grpck mksmbpasswd safe_finger tcpd usermod
arpd grpconv mysqld samba tcpdchk validlocale
aspell-autobuildhash grpunconv newaliases samba_dnsupdate tcpdmatch vcstime
biosdecode grub-bios-setup newusers samba_kcc tcptraceroute vigr
check_forensic grub-install nfnl_osf samba_spnupdate tcptraceroute.db vipw
checksendmail grub-macbless nft samba_upgradedns traceroute visudo
chgpasswd grub-mkconfig nmbd select-default-ispell try-from vpddecode
chpasswd grub-mkdevicemap nologin select-default-wordlist tunelp zerofree
chroot grub-probe ownership sendmail tzconfig zic
cpgr grub-reboot pam-auth-update sendmailconfig update-ca-certificates
cppw grub-set-default pam_getenv sendmail-msp update-catalog
cron hoststat pam_timestamp_check sendmail-mta update-default-aspell
delgroup httxt2dbm phpdismod sensible-mda update-default-ispell
root@www4:/#
version 10
Code: Select all
root@e-buster:~# ls /usr/sbin/
aa-remove-unknown dhclient-script grpck iptables-restore-translate poweroff tarcat
aa-status discover grpconv iptables-save praliases tc
aa-teardown discover-modprobe grpunconv iptables-translate purgestat tcptraceroute
accessdb discover-pkginstall grub-bios-setup iptunnel pwck tcptraceroute.db
acpi_available dmidecode grub-install isosize pwconv telinit
addgroup dmsetup grub-macbless ispell-autobuildhash pwunconv tipc
add-shell dmstats grub-mkconfig kbdrate rarp traceroute
adduser dpkg-preconfigure grub-mkdevicemap killall5 raw tune2fs
agetty dpkg-reconfigure grub-probe ldattach readprofile tzconfig
apm_available dumpe2fs grub-reboot ldconfig reboot udevadm
apparmor_parser e2freefrag grub-set-default locale-gen remove-default-ispell unix_chkpwd
apparmor_status e2fsck halt logrotate remove-default-wordlist unix_update
arp e2image hdparm logsave remove-shell update-ca-certificates
arpd e2label hoststat losetup resize2fs update-default-aspell
arptables e2mmpstatus hwclock lsmod rmmod update-default-ispell
arptables-nft e2undo iconvconfig mailstats rmt update-default-wordlist
arptables-nft-restore e4crypt ifconfig makemap rmt-tar update-dictcommon-aspell
arptables-nft-save e4defrag ifdown mii-tool route update-dictcommon-hunspell
arptables-restore ebtables ifquery mke2fs rsyslogd update-grub
arptables-save ebtables-nft ifup mkfs rtacct update-grub2
aspell-autobuildhash ebtables-nft-restore init mkfs.bfs rtcwake update-initramfs
badblocks ebtables-nft-save insmod mkfs.cramfs rtmon update-locale
biosdecode ebtables-restore installkernel mkfs.ext2 runlevel update-mime
blkdeactivate ebtables-save invoke-rc.d mkfs.ext3 runq update-passwd
blkdiscard editmap ip mkfs.ext4 runuser update-pciids
blkid etrn ip6tables mkfs.minix select-default-ispell update-rc.d
blkzone fdformat ip6tables-apply mkhomedir_helper select-default-wordlist upgrade-from-grub-legacy
blockdev fdisk ip6tables-legacy mkinitramfs sendmail useradd
bridge filefrag ip6tables-legacy-restore mklost+found sendmailconfig userdel
capsh findfs ip6tables-legacy-save mkswap sendmail-msp usermod
cfdisk fsck ip6tables-nft modinfo sendmail-mta validlocale
chcpu fsck.cramfs ip6tables-nft-restore modprobe sensible-mda vcstime
checksendmail fsck.ext2 ip6tables-nft-save mount.vmhgfs service vigr
chgpasswd fsck.ext3 ip6tables-restore nameif setcap vipw
chmem fsck.ext4 ip6tables-restore-translate newaliases setvesablank visudo
chpasswd fsck.minix ip6tables-save newusers sfdisk vmtoolsd
chroot fsfreeze ip6tables-translate nfnl_osf shadowconfig vmware-checkvm
cpgr fstab-decode ipmaddr nologin shutdown vmware-namespace-cmd
cppw fstrim iptables on_ac_power slattach vmware-rpctool
cron genl iptables-apply ownership sshd vmware-vmblock-fuse
ctrlaltdel getcap iptables-legacy pam-auth-update start-stop-daemon vpddecode
debugfs getpcaps iptables-legacy-restore pam_getenv sulogin wipefs
delgroup getty iptables-legacy-save pam_tally swaplabel xtables-legacy-multi
deluser groupadd iptables-nft pam_tally2 swapoff xtables-monitor
depmod groupdel iptables-nft-restore pam_timestamp_check swapon xtables-nft-multi
devlink groupmems iptables-nft-save pivot_root switch_root zic
dhclient groupmod iptables-restore plipconfig sysctl zramctl
root@e-buster:~#
-
GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: nft command not found Debian 10
Use some logic, and read my post more care fully :
Indicates 'nftables" is not even installed.
So
Obviously the command is not found. Try installing "nftables".
All though it should have been installed by default, something is wrong with your install,
and you need to install it.
Code: Select all
root@e-buster:/# man nft
No manual entry for nft
root@e-buster:/# So
Code: Select all
fosssc@e-buster:~$ su -
Password:
root@e-buster:~# nft list ruleset
-bash: nft: command not found
root@e-buster:~#
All though it should have been installed by default, something is wrong with your install,
and you need to install it.
"What we expect you have already Done"
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
-
GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: nft command not found Debian 10
Also this comment, indicates the obvious, you do not have it installed. And please stop showing us what you Debian 9 stuff looked like , it is irrelevant and serves only to confuse things.Yet I only get command not found on Debian 10. There is no subfolder for the nftables examples under "/usr/share/doc/nftables/examples/" there is no "nftables" folder. So I'm a bit confused.
Re: nft command not found Debian 10
This is why I asked...because it was in the previous version but not in this new version, at least not with my fresh install. and I did ask that in my original post if nftables was something I had to actually install, vs being in there by default. Thus my confusion about nft not working and there being iptables-nft present in version 10.
Seems that is what I have to do...install the nftables package.
Thanks.
It's now installed and now "nft" gives me output.
Seems that is what I have to do...install the nftables package.
Thanks.
It's now installed and now "nft" gives me output.
-
Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: nft command not found Debian 10 [SOLVED]
See https://www.debian.org/releases/buster/ ... l#nftables
It is rather silly to have an iptables frontend for nftables, given that the simpler declarative ruleset is a major advantage of the new framework but a significant proportion of Debian users start frothing at the mouth when confronted with change so the developers have taken the cautious route with this one.
It is rather silly to have an iptables frontend for nftables, given that the simpler declarative ruleset is a major advantage of the new framework but a significant proportion of Debian users start frothing at the mouth when confronted with change so the developers have taken the cautious route with this one.
deadbang