Iptables File & Directory

[KitchM]

What is the default location for iptables?

[CwF]

Code: Select all

$ locate iptables

[KitchM]

No such thing in Debian. That is unless you install it. But of course it returns nothing. Bummer.

[CwF]

Code: Select all

$  locate iptables
/etc/alternatives/iptables
/etc/alternatives/iptables-restore
/etc/alternatives/iptables-save
/sbin/iptables
/sbin/iptables-restore
/sbin/iptables-save
/usr/bin/iptables-xml
/usr/lib/collectd/iptables.so
/usr/sbin/iptables
/usr/sbin/iptables-apply
/usr/sbin/iptables-legacy
/usr/sbin/iptables-legacy-restore
/usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft
/usr/sbin/iptables-nft-restore
/usr/sbin/iptables-nft-save
/usr/sbin/iptables-restore
/usr/sbin/iptables-restore-translate
/usr/sbin/iptables-save
/usr/sbin/iptables-translate
/usr/share/iptables
/usr/share/augeas/lenses/dist/iptables.aug
/usr/share/augeas/lenses/dist/tests/test_iptables.aug
/usr/share/bash-completion/completions/iptables
/usr/share/doc/iptables
/usr/share/doc/collectd-core/examples/iptables
/usr/share/doc/collectd-core/examples/iptables/accounting.sh
/usr/share/doc/iptables/INCOMPATIBILITIES
/usr/share/doc/iptables/NEWS.Debian.gz
/usr/share/doc/iptables/README.Debian
/usr/share/doc/iptables/changelog.Debian.gz
/usr/share/doc/iptables/changelog.gz
/usr/share/doc/iptables/copyright
/usr/share/icons/Numix/16/mimetypes/text-x-iptables.svg
/usr/share/icons/Numix/22/mimetypes/text-x-iptables.svg
/usr/share/icons/Numix/24/mimetypes/text-x-iptables.svg
/usr/share/icons/Numix/32/mimetypes/text-x-iptables.svg
/usr/share/icons/Numix/48/mimetypes/text-x-iptables.svg
/usr/share/icons/Numix/64/mimetypes/text-x-iptables.svg
/usr/share/iptables/iptables.xslt
/usr/share/man/man1/iptables-xml.1.gz
/usr/share/man/man8/iptables-apply.8.gz
/usr/share/man/man8/iptables-extensions.8.gz
/usr/share/man/man8/iptables-legacy-restore.8.gz
/usr/share/man/man8/iptables-legacy-save.8.gz
/usr/share/man/man8/iptables-legacy.8.gz
/usr/share/man/man8/iptables-nft-restore.8.gz
/usr/share/man/man8/iptables-nft-save.8.gz
/usr/share/man/man8/iptables-nft.8.gz
/usr/share/man/man8/iptables-restore-translate.8.gz
/usr/share/man/man8/iptables-restore.8.gz
/usr/share/man/man8/iptables-save.8.gz
/usr/share/man/man8/iptables-translate.8.gz
/usr/share/man/man8/iptables.8.gz
/usr/share/mime/text/x-iptables.xml
/var/lib/dpkg/alternatives/iptables
/var/lib/dpkg/info/iptables.list
/var/lib/dpkg/info/iptables.md5sums
/var/lib/dpkg/info/iptables.postinst
/var/lib/dpkg/info/iptables.prerm

[sunrat]

No such thing in Debian. That is unless you install it. But of course it returns nothing. Bummer.

Install mlocate and create the locate database as root with:

Code: Select all

updatedb

Then locate will work. You need to update the database to include new files added since the last update.

[KitchM]

Thank you very much. Its working now.

Now, my initial question should have been more specific. Which of the long list of returned paths point to the one that is running, and is displayed with iptables -L?

[dilberts_left_nut]

None.
It is a volatile structure maintained by the running kernel.

[KitchM]

So this arrangement is held in RAM. What places it there on boot?

[dilberts_left_nut]

Whatever you set up to do that.
By default, nothing.

[KitchM]

No, I'm asking what a person does to accomplish that. Do you mean that there are not iptables or nftables by default?

[reinob]

By default there are no rules, and the default policy is accept.

If you install nftables, it sets up a service that loads the rules from /etc/nftables.conf during boot.
With iptables you can use iptables-persistent, which uses the directory /etc/iptables/.

Nowadays I'd recomment nftables, if you need a firewall at all.

[CwF]

Nowadays I'd recomment nftables, if you need a firewall at all.

The OP already has found out some out-of-repository program was still coded to expect iptables only. Maybe 6 months ago I may have posted a similar finding I haven't revisited, but somewhere in qemu/VMM there is a iptables dependency still in bullseye. Converting to nftables for a test hosed a hypervisor, so iptables is still here for some.

[reinob]

The OP already has found out some out-of-repository program was still coded to expect iptables only. Maybe 6 months ago I may have posted a similar finding I haven't revisited, but somewhere in qemu/VMM there is a iptables dependency still in bullseye. Converting to nftables for a test hosed a hypervisor, so iptables is still here for some.

Yup. Another program that (as far as I can tell) requires iptables is docker. You can tell it not to run iptables, but then you have to take care of the firewalling/forwarding/routing yourself.

[KitchM]

Thank you all for the details for which I was evidently searching.

@reinob, thank you for the specifics. It appears to me that the best way to look at the process is to see that nftables is the newest and best option. That is clearly evident by the order of succession from previous programs.

Within those programs which interface with the tables, some of the best still use iptables. Since nftables will still offer iptables legacy recognition, it would seem that we can go either way to get the same results.

Since the end user needs a GUI to set up the rules as they wish, the selected program must offer the two options, or a blend of the two, as mentioned above.

If anyone needs a justification for that position, while the command line option of programming the rules for iptables is useable, if somewhat oddly laid out, the same cannot be said for nftables. While nftables.conf is somewhat readable, it really needs a translator program for human readability for the average Joe and Josephine.

By the way, what happens when a person uses iptables-persistent and finds the files in /etc/iptables/? How does the system know to look there instead of /etc/nftables.conf?

[KitchM]

Also, to flesh this subject out a little more, does nftables have nftables-persistent by default? (Since it always looks for /etc/nftables.conf.)

[CwF]

From my notes at the time, the config needs transferred.

Code: Select all

iptables-save > ipsave.txt
iptables-restore-translate -f ipsave.txt > ruleset.nft

I'm sure these details need checked and confirmed by someone who successfully migrated - that's not me!

[reinob]

Also, to flesh this subject out a little more, does nftables have nftables-persistent by default? (Since it always looks for /etc/nftables.conf.)

The nftables package includes a systemd service which will load the rules from /etc/nftables.conf.
For iptables you'd need the extra "iptables-persistent" package.

Note also that whether you consider nftables more or less readable than iptables is a matter of preference.
I personally find nftables rulesets much more readable than iptables.
(Obviously, automatically translated iptable rulesets with chains, marks and jumps will probably translate, if at all, into a giant mess.. but for commonplace stuff like "block or allow ports tcp X, Y, Z and udp prots A and B" it's clean enough.)

[KitchM]

Are you implying that nftables does not need nftables-persistent?

[reinob]

I thought it was explicit enough :), but, yes, there is no nftables-persistent, as nftables itself includes the systemd unit to load the rules off /etc/nftables.conf at boot.

[KitchM]

You would be amazed at how many times I have read about nftables-persistent, sometimes within the exact same context as iptables-persistent. Some clown is always providing misinformation in his documents. It is all very confusing.

It is good to have at least one person solidify that point. And it makes a lot of sense. Thank you.