I have migrated my Ubuntu Focal server firewall backend from legacy iptables to netfilter, by running update-alternatives --set iptables /usr/sbin/iptables-nft and rebooting the server. Now all tables shown in iptables-legacy -S are empty, but when I run iptables -S the last line always says:
# Warning: iptables-legacy tables present, use iptables-legacy to see them
I have since removed iptables-legacy from alternatives using the following command:
update-alternatives --remove iptables /usr/sbin/iptables-legacy
And now only the netfilter version is shown
root@iBug-Server:~# update-alternatives --display iptables
iptables - auto mode
link best version is /usr/sbin/iptables-nft
link currently points to /usr/sbin/iptables-nft
link iptables is /usr/sbin/iptables
slave iptables-restore is /usr/sbin/iptables-restore
slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-nft - priority 20
slave iptables-restore: /usr/sbin/iptables-nft-restore
slave iptables-save: /usr/sbin/iptables-nft-save
How can I get rid of this warning?
As the error messages says, it's because the legacy (non-netfilter) iptables subsystem is present. The most common cause is that the
iptables-legacycommand is called, which loads the legacy modules.There are 5 modules related to legacy iptables, one for each table. (Note: The module names begin with
iptable_, no S here)When ANY of them is loaded,
iptables-nftdecides that the legacy iptables is present, and emits the said warning.Similarly, there are 5 more modules for legacy IPv6 iptables, each beginning with
ip6table_(no S here, too).After migrating to netfilter, those 10 modules can be safely removed with
rmmodand blacklisted.Note again that using
blacklist iptable_filterdoesn't work here because this directive only prevents automatic loading, but not manual loading viamodprobe(8)or another command. This solution usinginstall <modulename> /bin/falseshould correctly prevent the module from loading under any circumstances.