Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Iptables File & Directory
Re: Iptables File & Directory
No such thing in Debian. That is unless you install it. But of course it returns nothing. Bummer.
-
- Global Moderator
- Posts: 2716
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 201 times
Re: Iptables File & Directory
Code: Select all
$ locate iptables
/etc/alternatives/iptables
/etc/alternatives/iptables-restore
/etc/alternatives/iptables-save
/sbin/iptables
/sbin/iptables-restore
/sbin/iptables-save
/usr/bin/iptables-xml
/usr/lib/collectd/iptables.so
/usr/sbin/iptables
/usr/sbin/iptables-apply
/usr/sbin/iptables-legacy
/usr/sbin/iptables-legacy-restore
/usr/sbin/iptables-legacy-save
/usr/sbin/iptables-nft
/usr/sbin/iptables-nft-restore
/usr/sbin/iptables-nft-save
/usr/sbin/iptables-restore
/usr/sbin/iptables-restore-translate
/usr/sbin/iptables-save
/usr/sbin/iptables-translate
/usr/share/iptables
/usr/share/augeas/lenses/dist/iptables.aug
/usr/share/augeas/lenses/dist/tests/test_iptables.aug
/usr/share/bash-completion/completions/iptables
/usr/share/doc/iptables
/usr/share/doc/collectd-core/examples/iptables
/usr/share/doc/collectd-core/examples/iptables/accounting.sh
/usr/share/doc/iptables/INCOMPATIBILITIES
/usr/share/doc/iptables/NEWS.Debian.gz
/usr/share/doc/iptables/README.Debian
/usr/share/doc/iptables/changelog.Debian.gz
/usr/share/doc/iptables/changelog.gz
/usr/share/doc/iptables/copyright
/usr/share/icons/Numix/16/mimetypes/text-x-iptables.svg
/usr/share/icons/Numix/22/mimetypes/text-x-iptables.svg
/usr/share/icons/Numix/24/mimetypes/text-x-iptables.svg
/usr/share/icons/Numix/32/mimetypes/text-x-iptables.svg
/usr/share/icons/Numix/48/mimetypes/text-x-iptables.svg
/usr/share/icons/Numix/64/mimetypes/text-x-iptables.svg
/usr/share/iptables/iptables.xslt
/usr/share/man/man1/iptables-xml.1.gz
/usr/share/man/man8/iptables-apply.8.gz
/usr/share/man/man8/iptables-extensions.8.gz
/usr/share/man/man8/iptables-legacy-restore.8.gz
/usr/share/man/man8/iptables-legacy-save.8.gz
/usr/share/man/man8/iptables-legacy.8.gz
/usr/share/man/man8/iptables-nft-restore.8.gz
/usr/share/man/man8/iptables-nft-save.8.gz
/usr/share/man/man8/iptables-nft.8.gz
/usr/share/man/man8/iptables-restore-translate.8.gz
/usr/share/man/man8/iptables-restore.8.gz
/usr/share/man/man8/iptables-save.8.gz
/usr/share/man/man8/iptables-translate.8.gz
/usr/share/man/man8/iptables.8.gz
/usr/share/mime/text/x-iptables.xml
/var/lib/dpkg/alternatives/iptables
/var/lib/dpkg/info/iptables.list
/var/lib/dpkg/info/iptables.md5sums
/var/lib/dpkg/info/iptables.postinst
/var/lib/dpkg/info/iptables.prerm
- sunrat
- Administrator
- Posts: 6498
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 118 times
- Been thanked: 476 times
Re: Iptables File & Directory
Install mlocate and create the locate database as root with:KitchM wrote:No such thing in Debian. That is unless you install it. But of course it returns nothing. Bummer.
Code: Select all
updatedb
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Re: Iptables File & Directory
Thank you very much. Its working now.
Now, my initial question should have been more specific. Which of the long list of returned paths point to the one that is running, and is displayed with iptables -L?
Now, my initial question should have been more specific. Which of the long list of returned paths point to the one that is running, and is displayed with iptables -L?
- dilberts_left_nut
- Administrator
- Posts: 5347
- Joined: 2009-10-05 07:54
- Location: enzed
- Has thanked: 13 times
- Been thanked: 66 times
Re: Iptables File & Directory
None.
It is a volatile structure maintained by the running kernel.
It is a volatile structure maintained by the running kernel.
AdrianTM wrote:There's no hacker in my grandma...
- dilberts_left_nut
- Administrator
- Posts: 5347
- Joined: 2009-10-05 07:54
- Location: enzed
- Has thanked: 13 times
- Been thanked: 66 times
Re: Iptables File & Directory
Whatever you set up to do that.
By default, nothing.
By default, nothing.
AdrianTM wrote:There's no hacker in my grandma...
Re: Iptables File & Directory
No, I'm asking what a person does to accomplish that. Do you mean that there are not iptables or nftables by default?
Re: Iptables File & Directory
By default there are no rules, and the default policy is accept.
If you install nftables, it sets up a service that loads the rules from /etc/nftables.conf during boot.
With iptables you can use iptables-persistent, which uses the directory /etc/iptables/.
Nowadays I'd recomment nftables, if you need a firewall at all.
If you install nftables, it sets up a service that loads the rules from /etc/nftables.conf during boot.
With iptables you can use iptables-persistent, which uses the directory /etc/iptables/.
Nowadays I'd recomment nftables, if you need a firewall at all.
-
- Global Moderator
- Posts: 2716
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 201 times
Re: Iptables File & Directory
The OP already has found out some out-of-repository program was still coded to expect iptables only. Maybe 6 months ago I may have posted a similar finding I haven't revisited, but somewhere in qemu/VMM there is a iptables dependency still in bullseye. Converting to nftables for a test hosed a hypervisor, so iptables is still here for some.reinob wrote:Nowadays I'd recomment nftables, if you need a firewall at all.
Re: Iptables File & Directory
Yup. Another program that (as far as I can tell) requires iptables is docker. You can tell it not to run iptables, but then you have to take care of the firewalling/forwarding/routing yourself.CwF wrote: The OP already has found out some out-of-repository program was still coded to expect iptables only. Maybe 6 months ago I may have posted a similar finding I haven't revisited, but somewhere in qemu/VMM there is a iptables dependency still in bullseye. Converting to nftables for a test hosed a hypervisor, so iptables is still here for some.
Re: Iptables File & Directory
Thank you all for the details for which I was evidently searching.
@reinob, thank you for the specifics. It appears to me that the best way to look at the process is to see that nftables is the newest and best option. That is clearly evident by the order of succession from previous programs.
Within those programs which interface with the tables, some of the best still use iptables. Since nftables will still offer iptables legacy recognition, it would seem that we can go either way to get the same results.
Since the end user needs a GUI to set up the rules as they wish, the selected program must offer the two options, or a blend of the two, as mentioned above.
If anyone needs a justification for that position, while the command line option of programming the rules for iptables is useable, if somewhat oddly laid out, the same cannot be said for nftables. While nftables.conf is somewhat readable, it really needs a translator program for human readability for the average Joe and Josephine.
By the way, what happens when a person uses iptables-persistent and finds the files in /etc/iptables/? How does the system know to look there instead of /etc/nftables.conf?
@reinob, thank you for the specifics. It appears to me that the best way to look at the process is to see that nftables is the newest and best option. That is clearly evident by the order of succession from previous programs.
Within those programs which interface with the tables, some of the best still use iptables. Since nftables will still offer iptables legacy recognition, it would seem that we can go either way to get the same results.
Since the end user needs a GUI to set up the rules as they wish, the selected program must offer the two options, or a blend of the two, as mentioned above.
If anyone needs a justification for that position, while the command line option of programming the rules for iptables is useable, if somewhat oddly laid out, the same cannot be said for nftables. While nftables.conf is somewhat readable, it really needs a translator program for human readability for the average Joe and Josephine.
By the way, what happens when a person uses iptables-persistent and finds the files in /etc/iptables/? How does the system know to look there instead of /etc/nftables.conf?
Re: Iptables File & Directory
Also, to flesh this subject out a little more, does nftables have nftables-persistent by default? (Since it always looks for /etc/nftables.conf.)
-
- Global Moderator
- Posts: 2716
- Joined: 2018-06-20 15:16
- Location: Colorado
- Has thanked: 41 times
- Been thanked: 201 times
Re: Iptables File & Directory
From my notes at the time, the config needs transferred.
I'm sure these details need checked and confirmed by someone who successfully migrated - that's not me!
Code: Select all
iptables-save > ipsave.txt
iptables-restore-translate -f ipsave.txt > ruleset.nft
Re: Iptables File & Directory
The nftables package includes a systemd service which will load the rules from /etc/nftables.conf.KitchM wrote:Also, to flesh this subject out a little more, does nftables have nftables-persistent by default? (Since it always looks for /etc/nftables.conf.)
For iptables you'd need the extra "iptables-persistent" package.
Note also that whether you consider nftables more or less readable than iptables is a matter of preference.
I personally find nftables rulesets much more readable than iptables.
(Obviously, automatically translated iptable rulesets with chains, marks and jumps will probably translate, if at all, into a giant mess.. but for commonplace stuff like "block or allow ports tcp X, Y, Z and udp prots A and B" it's clean enough.)
Re: Iptables File & Directory
You would be amazed at how many times I have read about nftables-persistent, sometimes within the exact same context as iptables-persistent. Some clown is always providing misinformation in his documents. It is all very confusing.
It is good to have at least one person solidify that point. And it makes a lot of sense. Thank you.
It is good to have at least one person solidify that point. And it makes a lot of sense. Thank you.