Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Cloudron Forum

Apps | Demo | Docs | Install

Replace iptables with nftables

Scheduled Pinned Locked Moved Discuss
firewall
14 Posts 7 Posters 920 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • necrevistonnezrN Offline
    necrevistonnezrN Offline
    necrevistonnezr
    wrote on last edited by girish
    #1

    It seems that iptables is being replaced with nftables (it's standard in Debian 10)

    https://wiki.debian.org/nftables

    Should I replace an iptables firewall with a nftables one?
    Yes, nftables is the replacement for iptables. There are some tools in place to ease in this task.
    Please read: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
    Why a new framework?
    The previous framework (iptables) has several problems hard to address, regarding scalability, performance, code maintenance, etc..
    What are the major differences?

    • In iptables there are several tables (filter, nat) and chains (FORWARD, INPUT...) by default. In nftables, there are no default tables/chains.
    • Also, in iptables you only have one target per rule (-j ACCEPT, -j LOG ...). In nftables, you can perform several actions in one single rule.
    • nftables includes built-in data sets capabilities. In iptables this is not possible, and there is a separated tool: ?ipset.
    • In the iptables framework there are tools per family: iptables, ip6tables, arptables, ebtables. Now, nftables allows you to manage all families in one single CLI tool.
    • This new framework features a new linux kernel subsystem, known as nf_tables. The new engine mechanism is inspired by BPF-like systems, with a set of basic expressions, which can be combined to build complex filtering rules.
    1 Reply Last reply
    2
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #2

    Thanks for the info. We in fact want to move to ufw instead. It seems most users are more comfortable with ufw and not iptables which is too low level.

    murgeroM yusfY W robiR 4 Replies Last reply
    2
  • murgeroM Offline
    murgeroM Offline
    murgero App Dev
    replied to girish on last edited by
    #3

    @girish I don't expect that to take too much time too, UFW's backend is iptables so really just sorting out the UFW cli / api should be relatively simple****

    --
    https://urgero.org
    ~ Professional Nerd. Freelance Programmer. ~
    Matrix: @murgero:urgero.org

    1 Reply Last reply
    0
  • yusfY Offline
    yusfY Offline
    yusf
    replied to girish on last edited by
    #4

    @girish Is it happening? Was looking to customize some settings but I'm not touching iptables.

    1 Reply Last reply
    0
  • A Offline
    A Offline
    ariachris56
    wrote on last edited by
    #5

    Glad to know about it.

    1 Reply Last reply
    0
  • W Offline
    W Offline
    will
    replied to girish on last edited by
    #6

    @girish UFW isn't really its own firewall, its a front end for iptables, and probably nftables.

    1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    replied to girish on last edited by
    #7

    @girish the main issue with ufw is that is doesn't support managing any rules in specific chains. (for example the important INPUT chain or the custom CLOUDRON chain).

    We need ways for at least this to be able to fully manage the range of apps and services we need.

    Life of sky tech

    1 Reply Last reply
    1
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #8

    @robi In the recent release, we added a way to blacklist IPs and also whitelist additional ports. Do these two things cover most cases? https://docs.cloudron.io/networking/#firewall

    robiR 1 Reply Last reply
    1
  • robiR Offline
    robiR Offline
    robi
    replied to girish on last edited by
    #9

    @girish ooh that's great! I knew about the blocklist (bye-bye .cn) but not the whitelist.

    can you add a udp port example to the whitelist docs?

    I keep struggling to keep mosh accessible after a cloudron reboot and it would make sense to simply add mosh support to the default install. (thoughts?)

    It's also not clear if IP port ranges are supported in the whitelist. (mosh ports listed as: 60000-60010 or 60000:60010 didn't work.)

    Do I need to list all the ports in the range?

    Also, why does the cloudron-firewall restart take so long? 15-20secs is disturbingly long.

    json is ugh, does it make sense to also convert it to plain text like the blocklist?

    Life of sky tech

    1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    wrote on last edited by
    #10

    @robi said in Replace iptables with nftables:

    can you add a udp port example to the whitelist docs?

    Currently, only tcp is supported. I will look into adding udp, it should be straightforward.

    Also, why does the cloudron-firewall restart take so long? 15-20secs is disturbingly long.

    I think that's the time the kernel is taking to add your blocklist to ipset. I imagine it's pretty big? How many entries does it have?

    robiR 1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    replied to girish on last edited by
    #11

    Currently, only tcp is supported. I will look into adding udp, it should be straightforward.

    Hmm, then why am I seeing some of the udp ports I added? 😕

    I also see iptables -L | grep 50000:51000
    what is this for? looks like a typo for mosh (60000-61000)

    I think that's the time the kernel is taking to add your blocklist to ipset. I imagine it's pretty big? How many entries does it have?

    oh yes, 13,687 IPs in blocklist now (cn, ru), 25 seconds to load. 😦

    Life of sky tech

    girishG 1 Reply Last reply
    0
  • girishG Offline
    girishG Offline
    girish Staff
    replied to robi on last edited by
    #12

    @robi said in Replace iptables with nftables:

    I also see iptables -L | grep 50000:51000

    That's for the TURN server.

    1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    wrote on last edited by
    #13

    ooh that's usable for mosh too with the -p parameter.

    let's just make mosh a default thing please!

    Life of sky tech

    1 Reply Last reply
    0
  • robiR Offline
    robiR Offline
    robi
    wrote on last edited by
    #14

    I'm installing a new Cloudron and got bit by this again.. can't get mosh to work without manually tweaking iptables.

    iptables -I INPUT 1 -p udp --dport 60000:60010 -j ACCEPT
    
    

    Life of sky tech

    1 Reply Last reply
    0

  • Login

  • Don't have an account? Register

  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Login

  • Don't have an account? Register

  • Login or register to search.