Tiny Core Extensions > TCE Corepure64
how to disable iptables after migrating to nftables?
GNUser:
I migrated the firewall in my router from iptables to nftables. Router runs TCL11 x86_64. Now I'd like to completely disable iptables because even when the built-in chains have no rules, all the chains are still traversed--with associated overhead.
Interestingly, nftables.tcz depends on iptables.tcz, so I cannot do without the iptables.tcz extension:
--- Code: ---bruno@t400:/mnt/sda1/tce/optional$ grep iptables *.dep
nftables.tcz.dep:iptables.tcz
wireguard-tools.tcz.dep:iptables.tcz
--- End code ---
lsmod shows that the kernel modules iptable_mangle and iptable_nat are loaded. I can remove these kernel modules easily enough:
--- Code: ---# modprobe -r iptable_mangle
# modprobe -r iptable_nat
--- End code ---
I noticed that wireguard actually prefers nftables and uses it instead of iptables when both are available.
My two questions for you smart guys are:
1. What is the best way to disable iptables so that all the completely empty chains are not being traversed?
2. Why are the iptable_nat and iptable_mangle kernel modules being loaded? I didn't load them and they don't seem to be dependencies of any of the other kernel modules. Also, I don't see any script in /usr/local/tce.installed that is loading them.
Rich:
Hi GNUser
--- Quote from: GNUser on December 17, 2021, 11:51:04 AM --- ... My two questions for you smart guys are:
1. What is the best way to disable iptables so that all the completely empty chains are not being traversed? ...
--- End quote ---
Maybe something like this would work:
--- Code: ---root@kerneltalks # iptables -F
root@kerneltalks # iptables -X
root@kerneltalks # iptables -P INPUT ACCEPT
root@kerneltalks # iptables -P OUTPUT ACCEPT
root@kerneltalks # iptables -P FORWARD ACCEPT
--- End code ---
--- Quote ---Where -
-F: Flush all policy chains
-X: Delete user-defined chains
-P INPUT/OUTPUT/FORWARD: Accept specified traffic
--- End quote ---
Result:
--- Code: ---# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
--- End code ---
Found here:
https://kerneltalks.com/howto/how-to-disable-iptables-firewall-temporarily/
The link also tells you how to backup you existing policies should you wish to.
--- Quote --- ... 2. Why are the iptable_nat and iptable_mangle kernel modules being loaded? ...
--- End quote ---
Probably one of the iptables executables or libraries loads them.
GNUser:
Thanks, Rich, but I have already cleared all rules from iptables chains. Also, the default target on all of the iptables chains is already ACCEPT.
My nftables firewall is working well and doing everything I need.
What I'm trying to accomplish here is to completely shut off iptables. For every network packet to traverse both nftables (which does useful work for me) and iptables (which now consists of a bunch of default tables with empty default chains) seems ugly and inefficient.
Rich:
Hi GNUser
How about:
--- Code: ---iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
--- End code ---
Found here:
https://serverfault.com/questions/129086/how-to-start-stop-iptables-on-ubuntu
Are you sure nftables needs iptables? According to Google nftables is supposed to replace iptables.
GNUser:
iptables has default tables and chains that continue to exist even when they contain no rules. nftables is not like this--the only tables and chains that exist are those explicitly created by the user (or applications).
Since I cannot delete the empty tables and chains in iptables, I am assuming that all of my network packets are traversing those empty tables and chains. There is a chance my assumption is wrong and that what packets traverse is the Netfilter engine and that both iptables and nftables are just human-friendly constructs to manipulate the Netfilter engine. If someone knows which is the case, please let me know.
Navigation
[0] Message Index
[#] Next page
Go to full version