[clug] Debian Buster -Which firewall by default? iptables or nftables ? Apt says iptables is installed and nftables is not installed, but the Debian doco says otherwise.
George at Clug
Clug at goproject.info
Tue Jul 23 14:41:50 UTC 2019
https://wiki.debian.org/nftables
Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem).
Could someone please explain the above with a bit more detail?
Below links give some explanation, but it is not quite clear enough for me to be confident I understand what the text is saying.
The Debian doco tells me that Buster now uses nftables not iptables but when I check installed packages, "iptables/stable,now 1.8.2-4 amd64 [installed]" is installed and "nftables/stable 0.9.0-2 amd64" is not installed.
Reading further into the documentation, I believe that the iptables package in buster is not iptables anymore, but nftables with an iptables compatible syntax, and is just called iptables because you can use the iptables syntax to configure it. Would this be correct?, or have I not understood what the documentation is trying to say?
https://linuxnewbieguide.org/hello-nftables-goodbye-iptables/
https://fedora.pkgs.org/29/fedora-x86_64/iptables-nft-1.8.0-3.fc29.x86_64.rpm.html
nftables compatibility for iptables, arptables and ebtables.
https://wiki.debian.org/nftables#Should_I_replace_an_iptables_firewall_with_a_nftables_one.3F
Why a new framework?
The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..
>From the doco and from what I can determine using "update-alternatives --list iptables", the above is true, and that iptables is set to
Using "# iptables-nft -L" gives the same result as "# iptables -L"
# export PATH=$PATH:/usr/sbin
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables-nft -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914423
Starting with iptables v1.8.2 the binary package includes iptables-nft and
iptables-legacy, two variants of the iptables command line interface. The
nftables-based is the default in Debian Buster and works with the nf_tables
Linux kernel subsystem.
https://manpages.debian.org/unstable/iptables/iptables-extensions.8.en.html
With iptables-nft, the target is translated into nftables' meta nftrace expression. Hence the kernel sends trace events via netlink to userspace where they may be displayed using xtables-monitor --trace command.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914423
Starting with iptables v1.8.2 the binary package includes iptables-nft and
iptables-legacy, two variants of the iptables command line interface. The
nftables-based is the default in Debian Buster and works with the nf_tables
Linux kernel subsystem. The legacy one uses the x_tables Linux kernel
subsystem. Users can use the update-alternatives system to select one variant
or the other.
https://packages.debian.org/buster/iptables
Package: iptables (1.8.2-4)
administration tools for packet filtering and NAT
The iptables/xtables framework has been replaced by nftables. You should consider migrating now.
iptables is the userspace command line program used to configure the Linux packet filtering and NAT ruleset. It is targeted towards systems and networks administrators.
https://wiki.debian.org/nftables
Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.
You can switch back and forth between iptables-nft and iptables-legacy by means of update-alternatives (same applies to arptables and ebtables).
The default starting with Debian Buster:
# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft
Switching to the legacy version:
# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# update-alternatives --set arptables /usr/sbin/arptables-legacy
# update-alternatives --set ebtables /usr/sbin/ebtables-legacy
# update-alternatives --get-selections | grep tables
arptables auto /usr/sbin/arptables-nft
ebtables auto /usr/sbin/ebtables-nft
ip6tables auto /usr/sbin/ip6tables-nft
iptables auto /usr/sbin/iptables-nft
# update-alternatives --list iptables
/usr/sbin/iptables-legacy
/usr/sbin/iptables-nft
# find /usr/sbin -name iptables*
/usr/sbin/iptables-restore-translate
/usr/sbin/iptables-nft-restore
/usr/sbin/iptables-save
/usr/sbin/iptables-legacy
/usr/sbin/iptables-translate
/usr/sbin/iptables-legacy-save
/usr/sbin/iptables-restore
/usr/sbin/iptables-nft
/usr/sbin/iptables-nft-save
/usr/sbin/iptables-legacy-restore
/usr/sbin/iptables-apply
/usr/sbin/iptables
https://wiki.debian.org/nftables
NOTE: Debian Buster uses the nftables framework by default.
Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.
You can switch back and forth between iptables-nft and iptables-legacy by means of update-alternatives (same applies to arptables and ebtables).
My build after GUFW installed
# apt list --installed | grep tables
iptables/stable,now 1.8.2-4 amd64 [installed]
libxtables12/stable,now 1.8.2-4 amd64 [installed]
# apt list | grep tables
...
iptables-converter-doc/stable 0.9.8-1 all
iptables-converter/stable 0.9.8-1 all
iptables-dev/stable 1.8.2-4 amd64
iptables-netflow-dkms/stable 2.3-5 amd64
iptables-optimizer-doc/stable 0.9.14-1 all
iptables-optimizer/stable 0.9.14-1 all
iptables-persistent/stable 1.0.11 all
iptables/stable,now 1.8.2-4 amd64 [installed]
...
nftables/stable 0.9.0-2 amd64
...
Default Debian Buster build with XFCE
# apt list --installed | grep tables
iptables/stable,now 1.8.2-4 amd64 [installed]
libxtables12/stable,now 1.8.2-4 amd64 [installed]
# apt list | grep tables
...
iptables-converter-doc/stable 0.9.8-1 all
iptables-converter/stable 0.9.8-1 all
iptables-dev/stable 1.8.2-4 amd64
iptables-netflow-dkms/stable 2.3-5 amd64
iptables-optimizer-doc/stable 0.9.14-1 all
iptables-optimizer/stable 0.9.14-1 all
iptables-persistent/stable 1.0.11 all
iptables/stable,now 1.8.2-4 amd64 [installed]
...
nftables/stable 0.9.0-2 amd64
...
Default Debian Buster build with no GUI
# apt list --installed | grep tables
iptables/stable,now 1.8.2-4 amd64 [installed]
libxtables12/stable,now 1.8.2-4 amd64 [installed]
# apt list | grep tables
...
iptables-converter-doc/stable 0.9.8-1 all
iptables-converter/stable 0.9.8-1 all
iptables-dev/stable 1.8.2-4 amd64
iptables-netflow-dkms/stable 2.3-5 amd64
iptables-optimizer-doc/stable 0.9.14-1 all
iptables-optimizer/stable 0.9.14-1 all
iptables-persistent/stable 1.0.11 all
iptables/stable,now 1.8.2-4 amd64 [installed]
...
nftables/stable 0.9.0-2 amd64
...
More information about the linux
mailing list