Questions[nftables](ubuntu)

I have migrated my Ubuntu Focal server firewall backend from legacy iptables to netfilter, by running update-alternatives --set iptables /usr/sbin/iptables-nft and rebooting the server. Now all tables shown in iptables-legacy -S are empty, but when I run iptables -S the last line always says:

# Warning: iptables-legacy tables present, use iptables-legacy to see them

I have since removed iptables-legacy from alternatives using the following command:

update-alternatives --remove iptables /usr/sbin/iptables-legacy

And now only the netfilter version is shown

root@iBug-Server:~# update-alternatives --display iptables
iptables - auto mode
  link best version is /usr/sbin/iptables-nft
  link currently points to /usr/sbin/iptables-nft
  link iptables is /usr/sbin/iptables
  slave iptables-restore is /usr/sbin/iptables-restore
  slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-nft - priority 20
  slave iptables-restore: /usr/sbin/iptables-nft-restore
  slave iptables-save: /usr/sbin/iptables-nft-save

How can I get rid of this warning?

According to this article on itsfoss.com nftables should replace iptables after updating from 20.04 to 20.10. In my case not only is iptables still installed, but also nftables is missing.

Does it imply that the update process has failed and there might be other components missing? Is it much of an issue from security point of view?

I don't know unfortunately when it stopped working, because I was using it as a fire and forget solution. Not so long ago I checked it with gufw and was stunned to realize my machine is naked.

root@asus:/etc/ufw# dpkg -l | grep ufw
ii  gufw   19.10.0-2
ii  ufw    0.36-1


root@asus:/etc/ufw# dpkg -l | grep tables
ii  iptables               1.8.4-11
ii  iptables-dev:amd64     1.8.3-2
ii  libnftables1:amd64     0.9.3-2
ii  libnftnl11:amd64       1.1.5-1
ii  libxtables-dev:amd64   1.8.4-1
ii  libxtables12:amd64     1.8.4-1
ii  nftables               0.9.3-2

I'm running with a 5.3.0-3-amd64 kernel.

The actual error:

root@asus:/# ufw enable
ERROR: problem running ufw-init
Bad argument `DROP'
Error occurred at line: 4
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Bad argument `-'
Error occurred at line: 4
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore: line 2 failed
Bad argument `-'
Error occurred at line: 3
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Bad argument `-'
Error occurred at line: 3
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Bad argument `-'
Error occurred at line: 3
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Bad argument `-'
Error occurred at line: 3
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.4 (nf_tables): Chain 'ufw-user-input' does not exist
Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Bad argument `DROP'
Error occurred at line: 4
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Bad argument `-'
Error occurred at line: 4
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
ip6tables-restore: line 2 failed
Bad argument `-'
Error occurred at line: 3
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Bad argument `-'
Error occurred at line: 3
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Bad argument `-'
Error occurred at line: 3
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Bad argument `-'
Error occurred at line: 3
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
ip6tables-restore v1.8.4 (nf_tables): Chain 'ufw6-user-input' does not exist
Error occurred at line: 2
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Problem running '/etc/ufw/user.rules'
Problem running '/etc/ufw/user6.rules'

I haven't found any telling hits on this (a lot of ufw problems but not this type). I wonder if it's something with the kernel's iptables support, the fact that nftables package somehow got itself into the installed packages or something else? If I delete the before*.rules or after*.rules from /etc/ufw I get an error because of that, the scripts look for those files.

I wonder if anyone has the same error message for ufw enable. Right now my ufw is inactive.

root@asus:/etc/ufw# lsmod | grep tables
ip6_tables             36864  0
ip_tables              32768  0
x_tables               49152  17 xt_conntrack,nft_compat,xt_LOG,xt_multiport,xt_tcpudp,xt_hashlimit,xt_addrtype,xt_recent,ip6t_rt,xt_comment,ip6_tables,ipt_REJECT,ip_tables,xt_limit,xt_hl,xt_MASQUERADE,ip6t_REJECT
nf_tables             163840  46 nft_compat,nft_counter,nft_chain_nat,nft_limit
nfnetlink              16384  4 nft_compat,nf_conntrack_netlink,nf_tables

Though I have gone through quite a few threads on AskUbuntu (1, 2, 3), and elsewhere, I'm little confuse on how to proceed.

I'd like to completely remove ufw, delete all iptables chains and rules, for a fresh start with nftables firewall in Ubuntu MATE 19.04

If I understand correctly (from the threads I have linked), I need to run the following:

sudo systemctl reset ufw

sudo systemctl disable ufw

sudo apt purge ufw gufw

sudo iptables -F

sudo iptables -Z

Then ?

for i in `iptables -L INPUT --line-numbers |grep '[0-9].*ufw' | cut -f 1 -d ' ' | sort -r `; do iptables -D INPUT $i ; done
for i in `iptables -L FORWARD --line-numbers |grep '[0-9].*ufw' | cut -f 1 -d ' ' | sort -r `; do iptables -D FORWARD $i ; done
for i in `iptables -L OUTPUT --line-numbers |grep '[0-9].*ufw' | cut -f 1 -d ' ' | sort -r `; do iptables -D OUTPUT $i ; done
for i in `iptables -L | grep 'Chain .*ufw' | cut -d ' ' -f 2`; do iptables -X $i ; done

The questions I have are:

(1) How do I "disable or deactivate" iptables so it doesn't interfere with Nftables firewall later on.

(2) In addition to removing ufw, should I remove iptables too:

sudo apt remove --auto-remove iptables

(3) Then proceed with installing and configuring nftables, is this the correct order?

I have been playing around with switching to nftables (purely as a learning exercise). I have it all working perfectly except for the fact I have to manually unload iptable_nat from the kernel after a restart.

What I have attempted so far

• completely flushed the iptables rules
• rmmod everything to do with Xtables
• blacklist all Xtables modules

None of these stop iptable_nat from loading on reboot and this stops nf_nat from working. Once I have run rmmod iptable_nat it works as expected.

Does anyone know how to completely disable IPTables on Ubuntu 18.04 LTS?