Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian 10 iptables migration

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
schnappi
Posts: 16
Joined: 2017-07-27 17:28

Debian 10 iptables migration

#1 Post by schnappi »

Hi,

Used iptables-persistent to keep iptables rules between reboots on Debian 9. Just upgraded to Debian 10. The iptables-persistent ruleset appears to still be working. So apparently an upgrades from Debian 9 to Debian 10 does NOT automatically move from iptables to nftable(s)?

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Debian 10 iptables migration

#2 Post by Head_on_a_Stick »

schnappi wrote:So apparently an upgrades from Debian 9 to Debian 10 does NOT automatically move from iptables to nftable(s)?
The backend might be different.

Check

Code: Select all

# update-alternatives --config iptables
https://www.debian.org/releases/buster/ ... l#nftables
deadbang

schnappi
Posts: 16
Joined: 2017-07-27 17:28

Re: Debian 10 iptables migration

#3 Post by schnappi »

What will running the above code do? Think it is good practice to understand any command that run.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Debian 10 iptables migration

#4 Post by reinob »

schnappi wrote:What will running the above code do? Think it is good practice to understand any command that run.
If you click on the link you'll learn :)

Basically with buster you can have the command "iptables" be an alias for "iptables-legacy", or for "iptables-nft".
With the former you use the x_tables kernel interface and with the latter the (newer) nf_tables.

I have a stretch server which I still have not upgrated to buster, as one of the things I wanted to do before that was to migrate from iptables to (native) nftables. This has taken a bit of work (had also to adapt fail2ban, various ipsets needed to be converted to nft named sets, etc.) but has worked OK.

During the migration I noticed that you could add nft rules even though the iptables rules were active (it was a live server and didn't want to disable iptables until I could reboot). Apparently both subsystems work in parallel (or rather, in series), as packets only pass if BOTH iptables and nftables allow it (didn't test extensively though as I just wanted to replace one with the other as quickly as possible).

Short story: I recommend learning the nftables syntax and using it exclusively. You put your rules in /etc/nftables.conf and apt-get remove iptables* and enjoy a "modern" system :)

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Debian 10 iptables migration

#5 Post by Head_on_a_Stick »

schnappi wrote:Think it is good practice to understand any command that run.

Code: Select all

man update-alternatives
deadbang

theblueplll
Posts: 154
Joined: 2019-04-29 01:17
Been thanked: 2 times

Re: Debian 10 iptables migration

#6 Post by theblueplll »

reinob wrote: Apparently both subsystems work in parallel (or rather, in series), as packets only pass if BOTH iptables and nftables allow it
This explains a problem I was having yesterday.

I would explain it but I don't fully understand what I was doing.

Regardless it was on a machine I use to learn and experiment with and not my main machine that I use everyday.

Post Reply