[Solved] How to load nftables rules at boot?

d0nzag · 2019-06-11 20:35:18

/etc/modules has all nf_tables* modules loaded
/etc/nftables.conf has no effect

what else could be done / checked ?

Last edited by d0nzag (2019-06-16 03:00:34)

ralph.ronnquist · 2019-06-11 21:22:57

initrd ?

d0nzag · 2019-06-12 09:57:52

This is too much. Aborting...

Head_on_a_Stick · 2019-06-12 10:31:10

Try

# cp /usr/share/doc/nftables/examples/sysvinit/nftables.init /etc/init.d
# update-rc.d nftables defaults

Then reboot.

d0nzag · 2019-06-16 02:59:32

The answer is - same way as with https://wiki.debian.org/iptables

Create executable file /etc/network/if-pre-up.d/nftables with the content

 #!/bin/sh
 /sbin/nft -f  /<path_to>/my.nftables.rules

and that's it

Marjorie · 2020-04-21 22:07:05

I'm setting up a mailserver and I'm trying to use nftables on Beowulf rather than iptables and ufw.as I used to on ASCII.

Head_on_a_Stick wrote:

Try

# cp /usr/share/doc/nftables/examples/sysvinit/nftables.init /etc/init.d
# update-rc.d nftables defaults

Then reboot.

Assuming I want to start nftables as a service (in the same way that systemd imitates). I would have to change this slightly:

$ sudo cp /usr/share/doc/nftables/examples/sysvinit/nftables.init /etc/init.d/nftables
$ sudo chmod +x  /etc/init.d/nftables
$ sudo update-rc.d nftables defaults

When I run

$ sudo service nftables start

and then

$ sudo service nftables status

there's no output from either and the process is not running.

I looks to me that the problem is that nftables, as supplied, isn't configured to start in any level:

/etc/init.d/nftables starts:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          nftables
# Required-Start:    $local_fs $network $remote_fs $syslog
# Required-Stop:     $local_fs $remote_fs $syslog
# Default-Start:
# Default-Stop:      0 1 2 3 4 5 6
# Short-Description: nftables firewall service
# Description:       nftables firewall system service
### END INIT INFO

# Author: Arturo Borrero Gonzalez <arturo@debian.org>
....

So no start run levels are defined. Should this be amended before running update-rc.d, and should they be the 'standard'?

# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6

It would be nice if the package could be devuanated for Beowulf as it's systemd specific as supplied in Debian.
I note there was some discussion about how to enable running on sysvinit back in 2015 when Arturo decided to only supply nftables.init as an example - but then not document what needed to be done to enable it.

Head_on_a_Stick · 2020-04-22 12:26:30

Marjorie wrote:

no start run levels are defined

Good spot, I missed that.

I've just run the sysd2v-0.2.sh script on the systemd nftables.service and it says

# Default-Start:  S
# Default-Stop:   0 6

So try that.

EDIT: perhaps open a bug report for this on the Debian package, the maintainer might correct it.

Last edited by Head_on_a_Stick (2020-04-22 12:27:20)

Marjorie · 2020-04-22 14:34:44

Thanks, Head-on-a-stick, that works.

Note for anyone else searching on this topic, having edited the default run level values in /etc/init.d/nftables you have to remove any existing rc.d symlinks before you reset them, so:

$ sudo update-rc.d nftables remove
$ sudo update-rc.d nftables defaults

If you don't do that it wont just overwrite the existing symlinks (you do get a warning).

Also

$ sudo service nftables start
$ sudo service nftables status

don't provide any output. However I did check that the firewall was working as intended using nmap from a different pc on the network:

$ sudo nmap --top-ports 500 mail
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-22 15:17 BST
Nmap scan report for mail (192.168.1.xx)
Host is up (0.0054s latency).
Not shown: 493 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
143/tcp open  imap
443/tcp open  https
587/tcp open  submission
993/tcp open  imaps
MAC Address: 2D:70:6B:23:64:91

which are just the ports I had configured to be open.

Last edited by Marjorie (2020-04-22 14:37:07)

jdev · 2020-11-11 11:14:45

Marjorie wrote:

Also
$ sudo service nftables start
$ sudo service nftables status 
don't provide any output.

Add INIT_VERBOSE=yes to the definitions of environment variables in /etc/init.d/nftables.

Magnus · 2020-11-12 13:36:50

Or add a line in /etc/rc.local /usr/sbin/nft -f /etc/firewall.tables

Head_on_a_Stick · 2020-11-12 18:03:15

Magnus wrote:

Or add a line in /etc/rc.local

Anything in /etc/rc.local is run late in the boot process so that would leave the network exposed, albeit very briefly. A proper init script is the best approach.

The officially official Devuan Forum!

#1 2019-06-11 20:35:18

[Solved] How to load nftables rules at boot?

#2 2019-06-11 21:22:57

Re: [Solved] How to load nftables rules at boot?

#3 2019-06-12 09:57:52

Re: [Solved] How to load nftables rules at boot?

#4 2019-06-12 10:31:10

Re: [Solved] How to load nftables rules at boot?

#5 2019-06-16 02:59:32

Re: [Solved] How to load nftables rules at boot?

#6 2020-04-21 22:07:05

Re: [Solved] How to load nftables rules at boot?

#7 2020-04-22 12:26:30

Re: [Solved] How to load nftables rules at boot?

#8 2020-04-22 14:34:44

Re: [Solved] How to load nftables rules at boot?

#9 2020-11-11 11:14:45

Re: [Solved] How to load nftables rules at boot?

#10 2020-11-12 13:36:50

Re: [Solved] How to load nftables rules at boot?

#11 2020-11-12 18:03:15

Re: [Solved] How to load nftables rules at boot?

Board footer