‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, February 24, 2021 5:58 PM, Adam Borowski <kilobyte@???> wrote:

> On Wed, Feb 24, 2021 at 07:26:35AM -0700, Gabe Stanton via Dng wrote:
>
> > If I understand correctly, the iptables cli that we use now is just a
> > wrapper around nftables.
>
> Actually, there are two independent subsystems. They're managed by two
> userspace tools:
>
> - iptables-legacy
> - iptables-nft
>

>     Rules set by one of them are not visible by the other. This may give a
>     nasty surprise if some tool sets a rule some other way.

>

>     /usr/sbin/iptables is an alternatives link to one of the two, you can check
>     update-alternatives --display iptables
>     to see which subsystem you're using by default.

>

>     Meow!
>     --
>     ⢀⣴⠾⠻⢶⣦⠀ Latin: meow 4 characters, 4 columns, 4 bytes
>     ⣾⠁⢠⠒⠀⣿⡁ Greek: μεου 4 characters, 4 columns, 8 bytes
>     ⢿⡄⠘⠷⠚⠋⠀ Runes: ᛗᛖᛟᚹ 4 characters, 4 columns, 12 bytes
>     ⠈⠳⣄⠀⠀⠀⠀ Chinese: 喵 1 character, 2 columns, 3 bytes <-- best!

>
>
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng


Steve,

I suggest that anybody new to firewalling should go with NFT.
There is a lot more IPTables choice of wrappers and GUI's which hide what is really happening and is not necessarily a good thing. No doubt NFT will get these further down the line.

IPTables is earmarked to go away as IFTables did before it and then you will need to learn NFT anyway.

Speaking as someone whom used IPTables ever since it came about and is new to NFT, NFT is far more versatile, logical and simpler to configure.


flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated by us
                ct state established,related accept

                # count and drop any other traffic
                counter drop
        }
}