Re: ADDITIONAL INFO -trying to convert to nftables I have a problem that it adds rules on its own - SOLVED

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 14 May 2020 12:14:07 -0500
dwoody5654@xxxxxxxxx wrote:

> On Wed, 13 May 2020 22:57:42 -0500
> info@xxxxxxxxx wrote:
> 
> > On 5/13/20 10:02 PM, D&R wrote:
> > > nftable.conf is setup as:
> > >
> > > flush ruleset
> > > table inet nat {
> > >         chain postrouting {
> > >                 type nat hook postrouting priority srcnat; policy accept;
> > >                 masquerade random,persistent
> > >         }
> > > }
> > > table inet filter {
> > >         chain input {
> > >                 type filter hook input priority filter; policy drop;
> > >                 counter jump block
> > >         }
> > >         chain forward {
> > >                 type filter hook forward priority filter; policy drop;
> > >                 counter jump block
> > >         }
> > >         chain output {
> > >                 type filter hook output priority filter; policy accept;
> > >         }
> > >         chain block {
> > >                 ct state { established, related } counter accept comment
> > > "accept all connections related to connections made by us" iifname
> > > "enp1s0" counter accept iifname "enp2s0" counter accept
> > >                 iif "lo" accept comment "accept loopback"
> > >                 tcp dport xxxxx counter accept comment "accept SSH"
> > >                 counter log prefix "IPTABLES IN= " level crit flags tcp
> > > sequence,options counter drop comment "count dropped packets"
> > >         }
> > > }
> > >
> > >
> > > After it runs for a few minutes it adds the following at the bottom of
> > > the table:
> > >
> > >
> > > table ip filter {
> > >         chain INPUT {
> > >                 type filter hook input priority filter; policy accept;
> > >                 counter packets 214 bytes 18153 jump block
> > >         }
> > >
> > >         chain FORWARD {
> > >                 type filter hook forward priority filter; policy accept;
> > >                 counter packets 525 bytes 85145 jump block
> > >         }
> > >
> > >         chain OUTPUT {
> > >                 type filter hook output priority filter; policy accept;
> > >         }
> > >
> > >         chain block {
> > >         }
> > > }
> > >
> > > I can't explain this, can anyone else do so?
> > >
> > > Thanks,
> > >
> > > David
> > > _______________________________________________
> > > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > > Fedora Code of Conduct:
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List
> > > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List
> > > Archives:
> > > https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
> > 
> > maybe something else is running like firewalld? i've been using nftables
> > for a while on other distros and now on fedora and i haven't seen any
> > changes being made to my nftables.conf.
> > 
> > maybe run "systemctl status firewalld"?
> > 
> I had gone back iptables several times while trying to understand nftables.
> For the first several switches this problem did not occur.
> 
> The last switch to nftables I ran:
> iptables -F and iptables -X
> but did not run
> rpm -e --nodeps iptables.
> 
> I removed iptables and the problem went away but on the nftables wiki it
> states:
> 
> Question 4. How do nftables and iptables interact when used on the same
> system?
> 
> What happens when you mix Iptables and Nftables? How do they interact?
> nft 		Empty 	Accept 	Accept 	    Block
>    Blank iptables 	Empty 	Empty 	Block
> Accept      Accept Results 	Pass 	Pass 	Unreachable
> Unreachable Pass 
> 
> My nftables has been running for hours with no problem.
> 
> Thanks for your responses,
> 
> David

When I installed on another computer I found out that running

rpm -e --nodeps iptables

is not enough I also had to do

rpm -e --nodeps iptables-services

I did have to keep iptables-libs - without it nft will not run.

After I did that I did not have the extra table added.

David

> > _______________________________________________
> > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List
> > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List
> > Archives:
> > https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux