8

I have migrated my Ubuntu Focal server firewall backend from legacy iptables to netfilter, by running update-alternatives --set iptables /usr/sbin/iptables-nft and rebooting the server. Now all tables shown in iptables-legacy -S are empty, but when I run iptables -S the last line always says:

# Warning: iptables-legacy tables present, use iptables-legacy to see them

I have since removed iptables-legacy from alternatives using the following command:

update-alternatives --remove iptables /usr/sbin/iptables-legacy

And now only the netfilter version is shown

root@iBug-Server:~# update-alternatives --display iptables
iptables - auto mode
  link best version is /usr/sbin/iptables-nft
  link currently points to /usr/sbin/iptables-nft
  link iptables is /usr/sbin/iptables
  slave iptables-restore is /usr/sbin/iptables-restore
  slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-nft - priority 20
  slave iptables-restore: /usr/sbin/iptables-nft-restore
  slave iptables-save: /usr/sbin/iptables-nft-save

How can I get rid of this warning?

iBug
  • 1,589
  • Please edit your question adding the output for sudo update-alternatives --display iptables. – Doug Smythies Nov 24 '20 at 21:57
  • @DougSmythies Done. – iBug Nov 25 '20 at 09:37
  • As I understaqnd the warning, it says that you have to run iptables-legacy command to see what rules are in legacy format. Then you can convert them to netfilter format. – Soren A Nov 25 '20 at 09:58
  • @SorenA My legacy table are all empty, with no rules, no custom chains, and all default chains having policy ACCEPT – iBug Nov 25 '20 at 10:07
  • Well, my --display output is pretty much the same (I seem to have a priority 10 area, related to iptables-legacy, which I guess you removed). I run a very complicated iptables rule set and have not seen your warning. Note: my iptables rule set is loaded via bash script, I don't use iptables-persistent or iptables-save. I have another server, but it is still set to legacy. – Doug Smythies Nov 25 '20 at 16:23

2 Answers2

3

As the error messages says, it's because the legacy (non-netfilter) iptables subsystem is present. The most common cause is that the iptables-legacy command is called, which loads the legacy modules.

There are 5 modules related to legacy iptables, one for each table. (Note: The module names begin with iptable_, no S here)

iptable_filter
iptable_nat
iptable_mangle
iptable_raw
iptable_security

When ANY of them is loaded, iptables-nft decides that the legacy iptables is present, and emits the said warning.

Similarly, there are 5 more modules for legacy IPv6 iptables, each beginning with ip6table_ (no S here, too).

After migrating to netfilter, those 10 modules can be safely removed with rmmod and blacklisted.

Note again that using blacklist iptable_filter doesn't work here because this directive only prevents automatic loading, but not manual loading via modprobe(8) or another command. This solution using install <modulename> /bin/false should correctly prevent the module from loading under any circumstances.

iBug
  • 1,589
  • Thanks. Actually, as it is written in man rmmod, we can remove the modules by modprobe -r iptable_filter iptable_nat iptable_mangle iptable_raw iptable_security, thus we do not need to blacklist them. – pa4080 May 01 '22 at 18:14
  • @pa4080 Blacklisting these modules prevent them from being accidentally loaded again. For example, when you run iptables-legacy with any valid argument, it loads the modules and brings back the issue you're trying to solve. This may happen unexpectedly with certain software that hard-coded iptables-legacy or similar. – iBug May 01 '22 at 21:19
2

I got this warning after selecting the docker package when running the Ubuntu 22.04 installer. (I did not get this when I skipped selecting packages and installed Docker manually.)

After migrating to netfilter, those 10 modules can be safely removed with rmmod and blacklisted.

If any rule causes one of the 10 modules to be used, when you attempt to remove the module you will get an error such as

# modprobe -r iptable_nat
modprobe: FATAL: Module iptable_nat is in use.

To completely get rid of # Warning: iptables-legacy tables present, I needed to wipe out completely iptables, ip6tables, iptables-legacy and ip6tables-legacy. Examine all four and check if anything from the pair of legacys needs to be incorporated into the respective non-legacy pair. Below, I am using the saved non-legacys files after determining that I did not need to incorporate any deltas from the legacys.

iptables-save > iptables-save.txt
ip6tables-save > ip6tables-save.txt
iptables-legacy-save > iptables-legacy-save.txt
ip6tables-legacy-save > ip6tables-legacy-save.txt

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -F
iptables -X


ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -F
ip6tables -X


iptables-legacy -P INPUT ACCEPT
iptables-legacy -P FORWARD ACCEPT
iptables-legacy -P OUTPUT ACCEPT
iptables-legacy -t nat -F
iptables-legacy -t nat -X
iptables-legacy -t mangle -F
iptables-legacy -t mangle -X
iptables-legacy -F
iptables-legacy -X


ip6tables-legacy -P INPUT ACCEPT
ip6tables-legacy -P FORWARD ACCEPT
ip6tables-legacy -P OUTPUT ACCEPT
ip6tables-legacy -t nat -F
ip6tables-legacy -t nat -X
ip6tables-legacy -t mangle -F
ip6tables-legacy -t mangle -X
ip6tables-legacy -F
ip6tables-legacy -X


for x in _raw _mangle _security _nat _filter; do
    modprobe -r "iptable${x}"
    modprobe -r "ip6table${x}"
done


iptables-restore < iptables-save.txt
ip6tables-restore < ip6tables-save.txt

You will also want to run

update-alternatives --remove iptables /usr/sbin/iptables-legacy

Please consult other resources about update-alternatives, migrating from iptables to nft, and the security ramifications of completely clearing iptables when the machine is connected to the network. If you have Docker installed, you will not be able to apt-get purge iptables because it is a dependency of docker-ce.

natskvi
  • 21