[Touch-packages] [Bug 1970731] [NEW] iptables empty when using firewalld

Peter Englmaier Thu, 28 Apr 2022 03:10:59 -0700

Public bug reported:

Summary:
I am using firewalld/jammy,now 1.1.1-1ubuntu1 on my vpn server. The vpn server 
is using wireguard and I could successfully configure zones and policies in 
firewalld. Yet, iptables does not show the rules from firewalld.


1) System
root@vpn:~# uname -a
Linux vpn 5.15.0-27-generic #28-Ubuntu SMP Thu Apr 14 04:55:28 UTC 2022 x86_64 
x86_64 x86_64 GNU/Linux
root@vpn:~# lsb_release -rd
Description:    Ubuntu 22.04 LTS
Release:        22.04

All updates installed.


2) What happens:

I am setting rules with firewall-cmd.

These firewall rules are visible with:
   nft list table inet firewalld
but not with 'iptables'.

3) What I expect to happen:

The toutput of
  iptables --list
should also reflect firewalld settings.

4) What happened instead

However, the iptables output shows only empty tables (filter, mangle,
nat).

root@vpn:~# iptables -t nat --list
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
root@vpn:~# iptables -t filter --list
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
root@vpn:~# iptables-legacy -t nat --list
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
root@vpn:~# iptables-legacy -t filter --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         


5) Further information

The ufw firewall is disabled and uninstalled.

According to the release notes of 22.04, the backend has changed to nftables. 
I was assuming, that the backend default is kind of transparent to the user, 
meaning iptables should still work as normal. 

I wonder if on my system is iptables correctly linked to the backend.

Iptables points to xtables-nft-multi:
root@vpn:~# ls -l /usr/sbin/iptables
lrwxrwxrwx 1 root root 26 Aug 24  2021 /usr/sbin/iptables -> 
/etc/alternatives/iptables
root@vpn:~# ls -l /etc/alternatives/iptables
lrwxrwxrwx 1 root root 22 Apr 25 18:56 /etc/alternatives/iptables -> 
/usr/sbin/iptables-nft
root@vpn:~# ls -l /usr/sbin/iptables-nft
lrwxrwxrwx 1 root root 17 Mar 24 12:58 /usr/sbin/iptables-nft -> 
xtables-nft-multi
root@vpn:~# ls -l /usr/sbin/xtables-nft-multi
-rwxr-xr-x 1 root root 224296 Mar 24 12:58 /usr/sbin/xtables-nft-multi


Perhaps this is an issue with the upgrade process of ubuntu.

** Affects: ufw (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ufw in Ubuntu.
https://bugs.launchpad.net/bugs/1970731

Title:
  iptables empty when using firewalld

Status in ufw package in Ubuntu:
  New

Bug description:
  Summary:
  I am using firewalld/jammy,now 1.1.1-1ubuntu1 on my vpn server. The vpn 
server is using wireguard and I could successfully configure zones and policies 
in firewalld. Yet, iptables does not show the rules from firewalld.

  1) System
  root@vpn:~# uname -a
  Linux vpn 5.15.0-27-generic #28-Ubuntu SMP Thu Apr 14 04:55:28 UTC 2022 
x86_64 x86_64 x86_64 GNU/Linux
  root@vpn:~# lsb_release -rd
  Description:  Ubuntu 22.04 LTS
  Release:      22.04

  All updates installed.

  
  2) What happens:

  I am setting rules with firewall-cmd.

  These firewall rules are visible with:
     nft list table inet firewalld
  but not with 'iptables'.

  3) What I expect to happen:

  The toutput of
    iptables --list
  should also reflect firewalld settings.

  4) What happened instead

  However, the iptables output shows only empty tables (filter, mangle,
  nat).

  root@vpn:~# iptables -t nat --list
  # Warning: iptables-legacy tables present, use iptables-legacy to see them
  Chain PREROUTING (policy ACCEPT)
  target     prot opt source               destination         

  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination         

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination         

  Chain POSTROUTING (policy ACCEPT)
  target     prot opt source               destination         
  root@vpn:~# iptables -t filter --list
  # Warning: iptables-legacy tables present, use iptables-legacy to see them
  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination         

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination         
  root@vpn:~# iptables-legacy -t nat --list
  Chain PREROUTING (policy ACCEPT)
  target     prot opt source               destination         

  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination         

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination         

  Chain POSTROUTING (policy ACCEPT)
  target     prot opt source               destination         
  root@vpn:~# iptables-legacy -t filter --list
  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination         

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination         

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination         

  
  5) Further information

  The ufw firewall is disabled and uninstalled.

  According to the release notes of 22.04, the backend has changed to nftables. 
  I was assuming, that the backend default is kind of transparent to the user, 
meaning iptables should still work as normal. 

  I wonder if on my system is iptables correctly linked to the backend.

  Iptables points to xtables-nft-multi:
  root@vpn:~# ls -l /usr/sbin/iptables
  lrwxrwxrwx 1 root root 26 Aug 24  2021 /usr/sbin/iptables -> 
/etc/alternatives/iptables
  root@vpn:~# ls -l /etc/alternatives/iptables
  lrwxrwxrwx 1 root root 22 Apr 25 18:56 /etc/alternatives/iptables -> 
/usr/sbin/iptables-nft
  root@vpn:~# ls -l /usr/sbin/iptables-nft
  lrwxrwxrwx 1 root root 17 Mar 24 12:58 /usr/sbin/iptables-nft -> 
xtables-nft-multi
  root@vpn:~# ls -l /usr/sbin/xtables-nft-multi
  -rwxr-xr-x 1 root root 224296 Mar 24 12:58 /usr/sbin/xtables-nft-multi

  
  Perhaps this is an issue with the upgrade process of ubuntu.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ufw/+bug/1970731/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1970731] [NEW] iptables empty when using firewalld

Reply via email to