How to prevent iptables and nftables rules from running simultaneously? The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsWhat is the difference between OUTPUT and FORWARD chains in iptables?UFW Preventing Web BrowsingUnderstanding Iptables rules to prevent DDoSHow to disable firewalld and keep it that way?Set up nftables to only allow connections through a vpn and block all ipv6 trafficUse NAT with iptables and a bridgeImplicit Inverses for iptables NAT Rulesiptables network address translation from lan to vpnnftables / iptables rules to rewrite source IP by interfaceNftables rules dissapiered after reboot!

Working through the single responsibility principle (SRP) in Python when calls are expensive

How do you keep chess fun when your opponent constantly beats you?

Does Parliament need to approve the new Brexit delay to 31 October 2019?

ELI5: Why do they say that Israel would have been the fourth country to land a spacecraft on the Moon and why do they call it low cost?

Inequalities involving [.]

Why can't devices on different VLANs, but on the same subnet, communicate?

My body leaves; my core can stay

How did passengers keep warm on sail ships?

US Healthcare consultation for visitors

Why not take a picture of a closer black hole?

How can a C program poll for user input while simultaneously performing other actions in a Linux environment?

Is there a writing software that you can sort scenes like slides in PowerPoint?

Is every episode of "Where are my Pants?" identical?

Student Loan from years ago pops up and is taking my salary

Can we generate random numbers using irrational numbers like π and e?

Why doesn't a hydraulic lever violate conservation of energy?

What aspect of planet Earth must be changed to prevent the industrial revolution?

Huge performance difference of the command find with and without using %M option to show permissions

Did the new image of black hole confirm the general theory of relativity?

Sort list of array linked objects by keys and values

Why are there uneven bright areas in this photo of black hole?

Why don't hard Brexiteers insist on a hard border to prevent illegal immigration after Brexit?

Example of compact Riemannian manifold with only one geodesic.

Button changing its text & action. Good or terrible?



How to prevent iptables and nftables rules from running simultaneously?



The 2019 Stack Overflow Developer Survey Results Are In
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election ResultsWhat is the difference between OUTPUT and FORWARD chains in iptables?UFW Preventing Web BrowsingUnderstanding Iptables rules to prevent DDoSHow to disable firewalld and keep it that way?Set up nftables to only allow connections through a vpn and block all ipv6 trafficUse NAT with iptables and a bridgeImplicit Inverses for iptables NAT Rulesiptables network address translation from lan to vpnnftables / iptables rules to rewrite source IP by interfaceNftables rules dissapiered after reboot!



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















I'm trying to set up a firewall on my own desktop (currently I'm tinkering with a Fedora 29 virtual machine). I would like to have it on the "deny-everything-by-default" basis. Almost immediately I decided to disable and mask the firewalld.service, since firewalld had no way to drop the outgoing packets, except by using the native iptables syntax. So I decided to resort to nftables, since it's the modern replacement for the former.



The problem is that after a system reboot iptables chains have some rules, which I didn't set (and I have no idea where they come from). On the other hand # nft list ruleset returns nothing. So I assume, that rules from iptables and nft will be enabled simultaneously and when I set up some nft rules, rules from iptables, which can appear from "nowhere", will be able to meddle.



I tried to remove iptables, but dnf refused to do so and warned that systemd depends on it.



So could anyone answer a couple of my questions here, please?



  • Do I understand the concepts here correctly (that iptables rules and chains are separate from nft ones, and that they both are in effect at the same time)?

  • How can I reliably use nft without iptables rules interference?

  • Or should I simply use iptables and remove nft?









share|improve this question




























    1















    I'm trying to set up a firewall on my own desktop (currently I'm tinkering with a Fedora 29 virtual machine). I would like to have it on the "deny-everything-by-default" basis. Almost immediately I decided to disable and mask the firewalld.service, since firewalld had no way to drop the outgoing packets, except by using the native iptables syntax. So I decided to resort to nftables, since it's the modern replacement for the former.



    The problem is that after a system reboot iptables chains have some rules, which I didn't set (and I have no idea where they come from). On the other hand # nft list ruleset returns nothing. So I assume, that rules from iptables and nft will be enabled simultaneously and when I set up some nft rules, rules from iptables, which can appear from "nowhere", will be able to meddle.



    I tried to remove iptables, but dnf refused to do so and warned that systemd depends on it.



    So could anyone answer a couple of my questions here, please?



    • Do I understand the concepts here correctly (that iptables rules and chains are separate from nft ones, and that they both are in effect at the same time)?

    • How can I reliably use nft without iptables rules interference?

    • Or should I simply use iptables and remove nft?









    share|improve this question
























      1












      1








      1








      I'm trying to set up a firewall on my own desktop (currently I'm tinkering with a Fedora 29 virtual machine). I would like to have it on the "deny-everything-by-default" basis. Almost immediately I decided to disable and mask the firewalld.service, since firewalld had no way to drop the outgoing packets, except by using the native iptables syntax. So I decided to resort to nftables, since it's the modern replacement for the former.



      The problem is that after a system reboot iptables chains have some rules, which I didn't set (and I have no idea where they come from). On the other hand # nft list ruleset returns nothing. So I assume, that rules from iptables and nft will be enabled simultaneously and when I set up some nft rules, rules from iptables, which can appear from "nowhere", will be able to meddle.



      I tried to remove iptables, but dnf refused to do so and warned that systemd depends on it.



      So could anyone answer a couple of my questions here, please?



      • Do I understand the concepts here correctly (that iptables rules and chains are separate from nft ones, and that they both are in effect at the same time)?

      • How can I reliably use nft without iptables rules interference?

      • Or should I simply use iptables and remove nft?









      share|improve this question














      I'm trying to set up a firewall on my own desktop (currently I'm tinkering with a Fedora 29 virtual machine). I would like to have it on the "deny-everything-by-default" basis. Almost immediately I decided to disable and mask the firewalld.service, since firewalld had no way to drop the outgoing packets, except by using the native iptables syntax. So I decided to resort to nftables, since it's the modern replacement for the former.



      The problem is that after a system reboot iptables chains have some rules, which I didn't set (and I have no idea where they come from). On the other hand # nft list ruleset returns nothing. So I assume, that rules from iptables and nft will be enabled simultaneously and when I set up some nft rules, rules from iptables, which can appear from "nowhere", will be able to meddle.



      I tried to remove iptables, but dnf refused to do so and warned that systemd depends on it.



      So could anyone answer a couple of my questions here, please?



      • Do I understand the concepts here correctly (that iptables rules and chains are separate from nft ones, and that they both are in effect at the same time)?

      • How can I reliably use nft without iptables rules interference?

      • Or should I simply use iptables and remove nft?






      fedora iptables firewall nftables






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked yesterday









      user907860user907860

      1084




      1084




















          1 Answer
          1






          active

          oldest

          votes


















          1














          I'm not sure this is the best way, but to stop iptables from reloading after boot what I did was



           rm /etc/sysconfig/iptables-config
          rm /etc/sysconfig/ip6tables-config
          systemctl disable firewalld


          As for your questions at the bottom I haven't personally used nftables but to see if they are in effect at the same time you could set one to, for example drop everything and have the other wide open. Repeat on both sides and if a ping doesn't work either way that would mean they are both active.



          The second question I believe is answered from the commands posted. The third question, is kind of opinion based. Do which ever you find is easier to learn and work with.






          share|improve this answer























          • sorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway

            – user907860
            yesterday











          • Odd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X

            – notsoslimshady
            yesterday











          • no, actually I tried to install iptables-persistent but dnf said that nothing matched the name. Then I tried dnf provides iptables-persistent and found nothing again

            – user907860
            yesterday











          • I'm still looking into possible options, but in the mean time a hack solution could be to iptables -F and iptables -X and mv /usr/sbin/iptables /usr/sbin/iptables.bak and the same for iptable-restore. Have not tested but I'd be surprised if it didn't work

            – notsoslimshady
            yesterday











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511940%2fhow-to-prevent-iptables-and-nftables-rules-from-running-simultaneously%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          I'm not sure this is the best way, but to stop iptables from reloading after boot what I did was



           rm /etc/sysconfig/iptables-config
          rm /etc/sysconfig/ip6tables-config
          systemctl disable firewalld


          As for your questions at the bottom I haven't personally used nftables but to see if they are in effect at the same time you could set one to, for example drop everything and have the other wide open. Repeat on both sides and if a ping doesn't work either way that would mean they are both active.



          The second question I believe is answered from the commands posted. The third question, is kind of opinion based. Do which ever you find is easier to learn and work with.






          share|improve this answer























          • sorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway

            – user907860
            yesterday











          • Odd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X

            – notsoslimshady
            yesterday











          • no, actually I tried to install iptables-persistent but dnf said that nothing matched the name. Then I tried dnf provides iptables-persistent and found nothing again

            – user907860
            yesterday











          • I'm still looking into possible options, but in the mean time a hack solution could be to iptables -F and iptables -X and mv /usr/sbin/iptables /usr/sbin/iptables.bak and the same for iptable-restore. Have not tested but I'd be surprised if it didn't work

            – notsoslimshady
            yesterday















          1














          I'm not sure this is the best way, but to stop iptables from reloading after boot what I did was



           rm /etc/sysconfig/iptables-config
          rm /etc/sysconfig/ip6tables-config
          systemctl disable firewalld


          As for your questions at the bottom I haven't personally used nftables but to see if they are in effect at the same time you could set one to, for example drop everything and have the other wide open. Repeat on both sides and if a ping doesn't work either way that would mean they are both active.



          The second question I believe is answered from the commands posted. The third question, is kind of opinion based. Do which ever you find is easier to learn and work with.






          share|improve this answer























          • sorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway

            – user907860
            yesterday











          • Odd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X

            – notsoslimshady
            yesterday











          • no, actually I tried to install iptables-persistent but dnf said that nothing matched the name. Then I tried dnf provides iptables-persistent and found nothing again

            – user907860
            yesterday











          • I'm still looking into possible options, but in the mean time a hack solution could be to iptables -F and iptables -X and mv /usr/sbin/iptables /usr/sbin/iptables.bak and the same for iptable-restore. Have not tested but I'd be surprised if it didn't work

            – notsoslimshady
            yesterday













          1












          1








          1







          I'm not sure this is the best way, but to stop iptables from reloading after boot what I did was



           rm /etc/sysconfig/iptables-config
          rm /etc/sysconfig/ip6tables-config
          systemctl disable firewalld


          As for your questions at the bottom I haven't personally used nftables but to see if they are in effect at the same time you could set one to, for example drop everything and have the other wide open. Repeat on both sides and if a ping doesn't work either way that would mean they are both active.



          The second question I believe is answered from the commands posted. The third question, is kind of opinion based. Do which ever you find is easier to learn and work with.






          share|improve this answer













          I'm not sure this is the best way, but to stop iptables from reloading after boot what I did was



           rm /etc/sysconfig/iptables-config
          rm /etc/sysconfig/ip6tables-config
          systemctl disable firewalld


          As for your questions at the bottom I haven't personally used nftables but to see if they are in effect at the same time you could set one to, for example drop everything and have the other wide open. Repeat on both sides and if a ping doesn't work either way that would mean they are both active.



          The second question I believe is answered from the commands posted. The third question, is kind of opinion based. Do which ever you find is easier to learn and work with.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered yesterday









          notsoslimshadynotsoslimshady

          475




          475












          • sorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway

            – user907860
            yesterday











          • Odd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X

            – notsoslimshady
            yesterday











          • no, actually I tried to install iptables-persistent but dnf said that nothing matched the name. Then I tried dnf provides iptables-persistent and found nothing again

            – user907860
            yesterday











          • I'm still looking into possible options, but in the mean time a hack solution could be to iptables -F and iptables -X and mv /usr/sbin/iptables /usr/sbin/iptables.bak and the same for iptable-restore. Have not tested but I'd be surprised if it didn't work

            – notsoslimshady
            yesterday

















          • sorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway

            – user907860
            yesterday











          • Odd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X

            – notsoslimshady
            yesterday











          • no, actually I tried to install iptables-persistent but dnf said that nothing matched the name. Then I tried dnf provides iptables-persistent and found nothing again

            – user907860
            yesterday











          • I'm still looking into possible options, but in the mean time a hack solution could be to iptables -F and iptables -X and mv /usr/sbin/iptables /usr/sbin/iptables.bak and the same for iptable-restore. Have not tested but I'd be surprised if it didn't work

            – notsoslimshady
            yesterday
















          sorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway

          – user907860
          yesterday





          sorry, but removing the files (I renamed them) didn't work. Default rules reappeared anyway

          – user907860
          yesterday













          Odd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X

          – notsoslimshady
          yesterday





          Odd, it worked in my Fedora 29 Server VM. Do you have iptables-persistent installed? Try removing that if it exists as well as doing a iptables -F and iptables -X

          – notsoslimshady
          yesterday













          no, actually I tried to install iptables-persistent but dnf said that nothing matched the name. Then I tried dnf provides iptables-persistent and found nothing again

          – user907860
          yesterday





          no, actually I tried to install iptables-persistent but dnf said that nothing matched the name. Then I tried dnf provides iptables-persistent and found nothing again

          – user907860
          yesterday













          I'm still looking into possible options, but in the mean time a hack solution could be to iptables -F and iptables -X and mv /usr/sbin/iptables /usr/sbin/iptables.bak and the same for iptable-restore. Have not tested but I'd be surprised if it didn't work

          – notsoslimshady
          yesterday





          I'm still looking into possible options, but in the mean time a hack solution could be to iptables -F and iptables -X and mv /usr/sbin/iptables /usr/sbin/iptables.bak and the same for iptable-restore. Have not tested but I'd be surprised if it didn't work

          – notsoslimshady
          yesterday

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f511940%2fhow-to-prevent-iptables-and-nftables-rules-from-running-simultaneously%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -fedora, firewall, iptables, nftables

          Popular posts from this blog

          Frič See also Navigation menuinternal link

          Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

          fontconfig warning: “/etc/fonts/fonts.conf”, line 100: unknown “element blank” The 2019 Stack Overflow Developer Survey Results Are In“tar: unrecognized option --warning” during 'apt-get install'How to fix Fontconfig errorHow do I figure out which font file is chosen for a system generic font alias?Why are some apt-get-installed fonts being ignored by fc-list, xfontsel, etc?Reload settings in /etc/fonts/conf.dTaking 30 seconds longer to boot after upgrade from jessie to stretchHow to match multiple font names with a single <match> element?Adding a custom font to fontconfigRemoving fonts from fontconfig <match> resultsBroken fonts after upgrading Firefox ESR to latest Firefox