:: Re: [DNG] my experience upgrading t…
Page principale
Supprimer ce message
Répondre à ce message
Auteur: Marjorie Roome
Date:  
À: dng
Sujet: Re: [DNG] my experience upgrading to NFT
On Mon, 2020-08-03 at 13:26 +0200, Tito via Dng wrote:
> did you try update-alternatives to set iptables to iptables-legacy
> behaviour. Arno-iptables-firewall and xtables-addons-dkms from
> testing work for me that way.
>

The first machine I updated to Beowulf from Ascii was a clean install
(but with a /home partition taken from Ascii) and it came with the
iptables translation layer installed, so iptables worked 'out of the
box'.

If you check there are symlinks that do this:

/usr/sbin/iptables -> etc/alternatives/iptables

/etc/alternatives/iptables -> /usr/sbin/iptables-nft
/usr/sbin/iptables-nft -> /usr/sbin/xtables-nft-multi

See the XTABLES-NFT(8) manpage:
https://manpages.debian.org/testing/iptables/xtables-nft.8.en.html

You can check if you are using nft behind iptables by typing:
$sudo iptables -V
iptables v1.8.2 (nf_tables)

In Beowulf (with a clean install) you are.

The second machine I built as a mail+ntp+dns server and was also a
clean install, however with this one I jumped in and installed the
nftables .deb (with the described hack to the
/etc/init.d/nftables),enabled and started it having configured it in
/etc/nftables.conf.
The iptables translation sym links are still there but iptables wasn't
configured or used.
Configuring nftables is pretty uncomplicated if your firewall is.
Mine looks like this:

/etc/nftables.conf
------------------------------------------------------------
##!/usr/sbin/nft -f
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;


    iifname lo accept
    ct state established,related accept
    tcp dport ssh ct state new accept
    tcp dport http ct state new accept
    tcp dport https ct state new accept
    tcp dport imap2 ct state new accept
    tcp dport imaps ct state new accept
    tcp dport pop3 ct state new accept
    tcp dport pop3s ct state new accept
    tcp dport submission ct state new accept
    tcp dport smtp ct state new accept
    udp dport ntp ct state new accept
    tcp dport 53 ct state new accept
    udp dport 53 ct state new accept


     # ICMP: errors, pings
     ip protocol icmp icmp type { echo-request, echo-reply,
destination-unreachable, time-exceeded, parameter-problem, router-
solicitation, router-advertisement } accept
     # ICMPv6: errors, pings, routing
     ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"


     # Reject other packets
     ip protocol tcp reject with tcp reset
  }
}
include "/etc/nftables/fail2ban.conf"
------------------------------------------------------------


--
Marjorie