Hi,
Used iptables-persistent to keep iptables rules between reboots on Debian 9. Just upgraded to Debian 10. The iptables-persistent ruleset appears to still be working. So apparently an upgrades from Debian 9 to Debian 10 does NOT automatically move from iptables to nftable(s)?
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Debian 10 iptables migration
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Debian 10 iptables migration
The backend might be different.schnappi wrote:So apparently an upgrades from Debian 9 to Debian 10 does NOT automatically move from iptables to nftable(s)?
Check
Code: Select all
# update-alternatives --config iptables
deadbang
Re: Debian 10 iptables migration
What will running the above code do? Think it is good practice to understand any command that run.
Re: Debian 10 iptables migration
If you click on the link you'll learn :)schnappi wrote:What will running the above code do? Think it is good practice to understand any command that run.
Basically with buster you can have the command "iptables" be an alias for "iptables-legacy", or for "iptables-nft".
With the former you use the x_tables kernel interface and with the latter the (newer) nf_tables.
I have a stretch server which I still have not upgrated to buster, as one of the things I wanted to do before that was to migrate from iptables to (native) nftables. This has taken a bit of work (had also to adapt fail2ban, various ipsets needed to be converted to nft named sets, etc.) but has worked OK.
During the migration I noticed that you could add nft rules even though the iptables rules were active (it was a live server and didn't want to disable iptables until I could reboot). Apparently both subsystems work in parallel (or rather, in series), as packets only pass if BOTH iptables and nftables allow it (didn't test extensively though as I just wanted to replace one with the other as quickly as possible).
Short story: I recommend learning the nftables syntax and using it exclusively. You put your rules in /etc/nftables.conf and apt-get remove iptables* and enjoy a "modern" system :)
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 132 times
Re: Debian 10 iptables migration
schnappi wrote:Think it is good practice to understand any command that run.
Code: Select all
man update-alternatives
deadbang
-
- Posts: 154
- Joined: 2019-04-29 01:17
- Been thanked: 2 times
Re: Debian 10 iptables migration
This explains a problem I was having yesterday.reinob wrote: Apparently both subsystems work in parallel (or rather, in series), as packets only pass if BOTH iptables and nftables allow it
I would explain it but I don't fully understand what I was doing.
Regardless it was on a machine I use to learn and experiment with and not my main machine that I use everyday.