On Mon, 2020-08-03 at 13:26 +0200, Tito via Dng wrote: > did you try update-alternatives to set iptables to iptables-legacy > behaviour. Arno-iptables-firewall and xtables-addons-dkms from > testing work for me that way. > The first machine I updated to Beowulf from Ascii was a clean install (but with a /home partition taken from Ascii) and it came with the iptables translation layer installed, so iptables worked 'out of the box'.
If you check there are symlinks that do this: /usr/sbin/iptables -> etc/alternatives/iptables /etc/alternatives/iptables -> /usr/sbin/iptables-nft /usr/sbin/iptables-nft -> /usr/sbin/xtables-nft-multi See the XTABLES-NFT(8) manpage: https://manpages.debian.org/testing/iptables/xtables-nft.8.en.html You can check if you are using nft behind iptables by typing: $sudo iptables -V iptables v1.8.2 (nf_tables) In Beowulf (with a clean install) you are. The second machine I built as a mail+ntp+dns server and was also a clean install, however with this one I jumped in and installed the nftables .deb (with the described hack to the /etc/init.d/nftables),enabled and started it having configured it in /etc/nftables.conf. The iptables translation sym links are still there but iptables wasn't configured or used. Configuring nftables is pretty uncomplicated if your firewall is. Mine looks like this: /etc/nftables.conf ------------------------------------------------------------ ##!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; iifname lo accept ct state established,related accept tcp dport ssh ct state new accept tcp dport http ct state new accept tcp dport https ct state new accept tcp dport imap2 ct state new accept tcp dport imaps ct state new accept tcp dport pop3 ct state new accept tcp dport pop3s ct state new accept tcp dport submission ct state new accept tcp dport smtp ct state new accept udp dport ntp ct state new accept tcp dport 53 ct state new accept udp dport 53 ct state new accept # ICMP: errors, pings ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router- solicitation, router-advertisement } accept # ICMPv6: errors, pings, routing ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types" # Reject other packets ip protocol tcp reject with tcp reset } } include "/etc/nftables/fail2ban.conf" ------------------------------------------------------------ -- Marjorie _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
