Mdthbs

What force causes entropy to increase?

writing variables above the numbers in tikz picture

Short story: child made less intelligent and less attractive

Is it ok to offer lower paid work as a trial period before negotiating for a full-time job?

Ubuntu Server install with full GUI

Does HR tell a hiring manager about salary negotiations?

Getting crown tickets for Statue of Liberty

What do these terms in Caesar's Gallic Wars mean?

Likelihood that a superbug or lethal virus could come from a landfill

Why doesn't shell automatically fix "useless use of cat"?

What is the meaning of Triage in Cybersec world?

Output the Arecibo Message

Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?

What do hard-Brexiteers want with respect to the Irish border?

How to add class in ko template in magento2

Are spiders unable to hurt humans, especially very small spiders?

Why doesn't UInt have a toDouble()?

"as much details as you can remember"

What do I do when my TA workload is more than expected?

What is preventing me from simply constructing a hash that's lower than the current target?

Why are there uneven bright areas in this photo of black hole?

How to support a colleague who finds meetings extremely tiring?

Button changing its text & action. Good or terrible?

How do you keep chess fun when your opponent constantly beats you?

How to prevent iptables and nftables rules from running simultaneously?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

1

I'm trying to set up a firewall on my own desktop (currently I'm tinkering with a Fedora 29 virtual machine). I would like to have it on the "deny-everything-by-default" basis. Almost immediately I decided to disable and mask the firewalld.service, since firewalld had no way to drop the outgoing packets, except by using the native iptables syntax. So I decided to resort to nftables, since it's the modern replacement for the former.

The problem is that after a system reboot iptables chains have some rules, which I didn't set (and I have no idea where they come from). On the other hand # nft list ruleset returns nothing. So I assume, that rules from iptables and nft will be enabled simultaneously and when I set up some nft rules, rules from iptables, which can appear from "nowhere", will be able to meddle.

I tried to remove iptables, but dnf refused to do so and warned that systemd depends on it.

So could anyone answer a couple of my questions here, please?

• Do I understand the concepts here correctly (that iptables rules and chains are separate from nft ones, and that they both are in effect at the same time)?


• How can I reliably use nft without iptables rules interference?


• Or should I simply use iptables and remove nft?

fedora iptables firewall nftables

share|improve this question

asked 14 hours ago

user907860user907860

1084

add a comment | 

1

I'm trying to set up a firewall on my own desktop (currently I'm tinkering with a Fedora 29 virtual machine). I would like to have it on the "deny-everything-by-default" basis. Almost immediately I decided to disable and mask the firewalld.service, since firewalld had no way to drop the outgoing packets, except by using the native iptables syntax. So I decided to resort to nftables, since it's the modern replacement for the former.

The problem is that after a system reboot iptables chains have some rules, which I didn't set (and I have no idea where they come from). On the other hand # nft list ruleset returns nothing. So I assume, that rules from iptables and nft will be enabled simultaneously and when I set up some nft rules, rules from iptables, which can appear from "nowhere", will be able to meddle.

I tried to remove iptables, but dnf refused to do so and warned that systemd depends on it.

So could anyone answer a couple of my questions here, please?

• Do I understand the concepts here correctly (that iptables rules and chains are separate from nft ones, and that they both are in effect at the same time)?


• How can I reliably use nft without iptables rules interference?


• Or should I simply use iptables and remove nft?

fedora iptables firewall nftables

share|improve this question

asked 14 hours ago

user907860user907860

1084

add a comment | 

I'm trying to set up a firewall on my own desktop (currently I'm tinkering with a Fedora 29 virtual machine). I would like to have it on the "deny-everything-by-default" basis. Almost immediately I decided to disable and mask the firewalld.service, since firewalld had no way to drop the outgoing packets, except by using the native iptables syntax. So I decided to resort to nftables, since it's the modern replacement for the former.

The problem is that after a system reboot iptables chains have some rules, which I didn't set (and I have no idea where they come from). On the other hand # nft list ruleset returns nothing. So I assume, that rules from iptables and nft will be enabled simultaneously and when I set up some nft rules, rules from iptables, which can appear from "nowhere", will be able to meddle.

I tried to remove iptables, but dnf refused to do so and warned that systemd depends on it.

So could anyone answer a couple of my questions here, please?

• Do I understand the concepts here correctly (that iptables rules and chains are separate from nft ones, and that they both are in effect at the same time)?


• How can I reliably use nft without iptables rules interference?


• Or should I simply use iptables and remove nft?

fedora iptables firewall nftables

share|improve this question

asked 14 hours ago

user907860user907860

1084

share|improve this question

asked 14 hours ago

user907860user907860

1084

share|improve this question

asked 14 hours ago

user907860user907860

1084

asked 14 hours ago

user907860user907860

1084

asked 14 hours ago

user907860user907860

1084

1 Answer
1

active

oldest

votes

1

I'm not sure this is the best way, but to stop iptables from reloading after boot what I did was

  rm /etc/sysconfig/iptables-config

  rm /etc/sysconfig/ip6tables-config

  systemctl disable firewalld

As for your questions at the bottom I haven't personally used nftables but to see if they are in effect at the same time you could set one to, for example drop everything and have the other wide open. Repeat on both sides and if a ping doesn't work either way that would mean they are both active.

The second question I believe is answered from the commands posted. The third question, is kind of opinion based. Do which ever you find is easier to learn and work with.

share|improve this answer

answered 13 hours ago

notsoslimshadynotsoslimshady

475

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  sorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway
  
  – user907860
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Odd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X
  
  – notsoslimshady
  12 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  no, actually I tried to install iptables-persistent but dnf said that nothing matched the name. Then I tried dnf provides iptables-persistent and found nothing again
  
  – user907860
  12 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm still looking into possible options, but in the mean time a hack solution could be to iptables -F and iptables -X and mv /usr/sbin/iptables /usr/sbin/iptables.bak and the same for iptable-restore. Have not tested but I'd be surprised if it didn't work
  
  – notsoslimshady
  11 hours ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511940%2fhow-to-prevent-iptables-and-nftables-rules-from-running-simultaneously%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

1

I'm not sure this is the best way, but to stop iptables from reloading after boot what I did was

  rm /etc/sysconfig/iptables-config

  rm /etc/sysconfig/ip6tables-config

  systemctl disable firewalld

As for your questions at the bottom I haven't personally used nftables but to see if they are in effect at the same time you could set one to, for example drop everything and have the other wide open. Repeat on both sides and if a ping doesn't work either way that would mean they are both active.

The second question I believe is answered from the commands posted. The third question, is kind of opinion based. Do which ever you find is easier to learn and work with.

share|improve this answer

answered 13 hours ago

notsoslimshadynotsoslimshady

475

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  sorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway
  
  – user907860
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Odd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X
  
  – notsoslimshady
  12 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  no, actually I tried to install iptables-persistent but dnf said that nothing matched the name. Then I tried dnf provides iptables-persistent and found nothing again
  
  – user907860
  12 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm still looking into possible options, but in the mean time a hack solution could be to iptables -F and iptables -X and mv /usr/sbin/iptables /usr/sbin/iptables.bak and the same for iptable-restore. Have not tested but I'd be surprised if it didn't work
  
  – notsoslimshady
  11 hours ago
  

  
  
  
  

add a comment | 

1

I'm not sure this is the best way, but to stop iptables from reloading after boot what I did was

  rm /etc/sysconfig/iptables-config

  rm /etc/sysconfig/ip6tables-config

  systemctl disable firewalld

As for your questions at the bottom I haven't personally used nftables but to see if they are in effect at the same time you could set one to, for example drop everything and have the other wide open. Repeat on both sides and if a ping doesn't work either way that would mean they are both active.

The second question I believe is answered from the commands posted. The third question, is kind of opinion based. Do which ever you find is easier to learn and work with.

share|improve this answer

answered 13 hours ago

notsoslimshadynotsoslimshady

475

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  sorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway
  
  – user907860
  13 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Odd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X
  
  – notsoslimshady
  12 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  no, actually I tried to install iptables-persistent but dnf said that nothing matched the name. Then I tried dnf provides iptables-persistent and found nothing again
  
  – user907860
  12 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm still looking into possible options, but in the mean time a hack solution could be to iptables -F and iptables -X and mv /usr/sbin/iptables /usr/sbin/iptables.bak and the same for iptable-restore. Have not tested but I'd be surprised if it didn't work
  
  – notsoslimshady
  11 hours ago
  

  
  
  
  

add a comment | 

I'm not sure this is the best way, but to stop iptables from reloading after boot what I did was

  rm /etc/sysconfig/iptables-config

  rm /etc/sysconfig/ip6tables-config

  systemctl disable firewalld

As for your questions at the bottom I haven't personally used nftables but to see if they are in effect at the same time you could set one to, for example drop everything and have the other wide open. Repeat on both sides and if a ping doesn't work either way that would mean they are both active.

The second question I believe is answered from the commands posted. The third question, is kind of opinion based. Do which ever you find is easier to learn and work with.

share|improve this answer

answered 13 hours ago

notsoslimshadynotsoslimshady

475

  rm /etc/sysconfig/iptables-config

  rm /etc/sysconfig/ip6tables-config

  systemctl disable firewalld

share|improve this answer

answered 13 hours ago

notsoslimshadynotsoslimshady

475

answered 13 hours ago

notsoslimshadynotsoslimshady

475

answered 13 hours ago

notsoslimshadynotsoslimshady

475