Debian 10 Firewalld vs iptables thrashing about

Help! (Home for newbies)
2

Hello jabowery :slight_smile: The Ubertus team faced the same challenge. To resolve this, we use both nftables and firewalld from the Backport for Debian 10 Buster.

Below are detailed steps & info. If those are of interest.

Steps

  1. Backup everything. This is optional, but recommended in the unlikely event that the following does not work.
  2. Remove iptables
  3. Reboot server
  4. Install nftables from the Debian Buster Backport repository. So that you get a more recent version.
  5. Install firewalld from the Debian Buster Backport repository. So that you get a more recent version.
  6. Adapt your Fail2Ban configurations appropriately for nftables. For example, but not limited to, using the Webmin Fail2Ban page, adapt its “Default action to apply” for nftables. For example nftables-multiport. Instead of iptables-multiport.
  7. Reboot server
  8. If fail2ban is not a fresh installation. It might need a few of its cycles to adapt itself.
  9. If the above fails. Try the same steps but fully remove fail2ban, then reinstall a fresh new fail2ban.
  10. Done. You have successfully resolved the challenge with fail2ban & iptables. Enjoy :slight_smile:

Attribution to the Ubertus SysAdmin team & DevOps team for those steps

Why nftables instead of iptables?

  • Starting with Debian 10, iptables is officially deprecated with nftables. With Debian 11 the deprecated goes even further. iptables is now the default on Debian 11. Source at Debian 11 To Further Deprecate IPTables In Favor Of Nftables Plus Promoting Firewalld - Phoronix

  • Starting in August 2020, nftables is included into the Linux Kernel. Which result in potential significant increase in both performance & security.

  • Fail2Ban on Debian 10 has very good support for nftables. With lots of built-in configurations.

Notes

For those not familiar with nftables. It is the new framework by the Netfilter Project. Which allows you to perform packet filtering (firewalling), NAT, mangling and packet classification.

firewalld is a front end management tool for nftables. Think of nftables as the engine. And firewalld as your dashboard.

Firewalld “owns” the firewall on the system, and all management should be done using the firewalld commands or the Webmin firewalld module. Attribution to Joe at https://forum.virtualmin.com/t/firewall-iptables-and-firewalld-conflict/58278/5

Related wiki about nftables at nftables - Debian Wiki

For those not familiar with Backport. It means you get more recent version of packages for Debian.

nftables replaces the old popular iptables, ip6tables, arptables and ebtables.

1 Like