On Mon, 2020-08-03 at 13:26 +0200, Tito via Dng wrote:
> did you try update-alternatives to set iptables to iptables-legacy
> behaviour. Arno-iptables-firewall and xtables-addons-dkms from
> testing work for me that way.
>
The first machine I updated to Beowulf from Ascii was a clean install
(but with a /home partition taken from Ascii) and it came with the
iptables translation layer installed, so iptables worked 'out of the
box'.
If you check there are symlinks that do this:
/usr/sbin/iptables -> etc/alternatives/iptables
/etc/alternatives/iptables -> /usr/sbin/iptables-nft
/usr/sbin/iptables-nft -> /usr/sbin/xtables-nft-multi
See the XTABLES-NFT(8) manpage:
https://manpages.debian.org/testing/iptables/xtables-nft.8.en.html
You can check if you are using nft behind iptables by typing:
$sudo iptables -V
iptables v1.8.2 (nf_tables)
In Beowulf (with a clean install) you are.
The second machine I built as a mail+ntp+dns server and was also a
clean install, however with this one I jumped in and installed the
nftables .deb (with the described hack to the
/etc/init.d/nftables),enabled and started it having configured it in
/etc/nftables.conf.
The iptables translation sym links are still there but iptables wasn't
configured or used.
Configuring nftables is pretty uncomplicated if your firewall is.
Mine looks like this:
/etc/nftables.conf
------------------------------------------------------------
##!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
ct state established,related accept
tcp dport ssh ct state new accept
tcp dport http ct state new accept
tcp dport https ct state new accept
tcp dport imap2 ct state new accept
tcp dport imaps ct state new accept
tcp dport pop3 ct state new accept
tcp dport pop3s ct state new accept
tcp dport submission ct state new accept
tcp dport smtp ct state new accept
udp dport ntp ct state new accept
tcp dport 53 ct state new accept
udp dport 53 ct state new accept
# ICMP: errors, pings
ip protocol icmp icmp type { echo-request, echo-reply,
destination-unreachable, time-exceeded, parameter-problem, router-
solicitation, router-advertisement } accept
# ICMPv6: errors, pings, routing
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
# Reject other packets
ip protocol tcp reject with tcp reset
}
}
include "/etc/nftables/fail2ban.conf"
------------------------------------------------------------
--
Marjorie