Mobian Firewall from iptables to nftables
#1
Hi,

my pinephone mobian CE is installed on emmc with FDE. The Mobian Doku tells me in the chapter "Firewall", that the current technology would be nftables.

I installed all available updates, but when I check the installed packages, my Mobian is still based on iptables.

# apt policy nftables
    Installed: (none)
    Candidate: 0.9.8-3

# apt policy iptables
    Installed: 1.8.7-1

I received my pinephone two weeks ago and used the installer as it came with.
Do I have to flash a newer Image to start with nftables instead of iptables?

As iptables is not configured jet.
# echo -e "\nIPv4:" && iptables -nvL && echo -e "\nIPv6:" && ip6tables -nvL && echo " "
  IPv4:
    Chain INPUT  (policy ACCEPT 0 packets, 0 bytes)
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    Chain OUTPUT  (policy ACCEPT 0 packets, 0 bytes)
  IPv6:
    Chain INPUT  (policy ACCEPT 0 packets, 0 bytes)
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    Chain OUTPUT  (policy ACCEPT 0 packets, 0 bytes)

I tried to replace it, but it seems to be impossible,-
# apt -s remove --purge  iptables
  The following packages will be REMOVED:
    iptables* mobian-base* mobian-phone-base* mobian-phosh-base* mobian-phosh-extras* mobian-phosh-phone*
  0 upgraded, 0 newly installed, 6 to remove and 0 not upgraded.
as that whould remove the phones GUI as well.

In the moment it looks to me that I could just disable and mask iptables and install and enable nftables.

Did I miss some documentation? Any ideas are appreciated.

Keep well and fit,
MicSpabo
PinePhone - Mobian (bullseye) CE
  Reply
#2
(02-22-2021, 05:48 AM)MicSpabo Wrote: Hi,

my pinephone mobian CE is installed on emmc with FDE. The Mobian Doku tells me in the chapter "Firewall", that the current technology would be nftables.

Hi there, I am the author of that part of the wiki :-). While Debian is indeed transitioning from iptables to nftables, iptables is still working fine (using nftables under the hood). As you might have seen, iptables is even pulled in by default by the mobian package. So feel free to still use iptables syntax.

I am currently reworking the text to give a brief introduction to a more userfriendly firewall, such as "ufw" which makes configuring firewalls a feasible task for mere mortals.
  Reply
#3
(02-22-2021, 08:00 AM)spaetz Wrote: Hi there, I am the author of that part of the wiki :-). While Debian is indeed transitioning from iptables to nftables, iptables is still working fine (using nftables under the hood). As you might have seen, iptables is even pulled in by default by the mobian package. So feel free to still use iptables syntax.

I am currently reworking the text to give a brief introduction to a more userfriendly firewall, such as "ufw" which makes configuring firewalls a feasible task for mere mortals.

Hi,

thanks for the background. You might be right with ufw for most of the users.

I already started playing around with nftables on Debian (testing) last year, as I expect it will sooner or later replace iptables.
As the pinephone is brand new I will try and mask iptables, and install nftables instead. So that I have one more
device to play around with the nftables.conf. The next mobian release might bring what I was just looking for.
Time will show.

So far I am quite impressed and I am happy to have nearly the same OS on my laptop as on the mobilephone.

Keep well and fit,
MicSpabo
PinePhone - Mobian (bullseye) CE
  Reply
#4
Hi,

it seems that its not as simple as I expected it.

# systemctl status iptables.service
  Unit iptables.service could not be found.

iptables is there but there is no service which I could mask.
# apt --fix-broken reinstall iptables
# systemctl reboot

# systemctl status iptables.service
  Unit iptables.service could not be found.

As iptables is not a service it cannot be disabled nor masked.
Looks like I have to go back into my rabit hole and RTFM. Blush

Keep well and fit,
MicSpabo
PinePhone - Mobian (bullseye) CE
  Reply
#5
I'm using the Linux firewall script I put together ages ago using iptables and it seems to be working just fine. (It actually started out as an ipchains script in ancient Linux from before iptables was released.) A complication is that both legacy iptables and the newer nftables are supported in recent Debian. With the latter, iptables to nftables translation takes place if you use iptables syntax. I set mine to legacy iptables using this guide:

https://wiki.debian.org/iptables

I then installed a systemd unit file to trigger the firewall script at boot time. Here's an example:

https://sleeplessbeastie.eu/2018/10/01/h...g-systemd/
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  bookworm vs trixie discussion for mobian in pinephone regular. zetabeta 36 7,084 09-25-2024, 12:41 AM
Last Post: zetabeta
  atinout binaries for mobian/debian? NeutralGrey 3 1,071 08-07-2024, 04:27 AM
Last Post: baptx
  Mobian-Kicksecure? 3460p 0 684 05-26-2024, 02:09 PM
Last Post: 3460p
  Mobian repository status henrythemouse 16 11,445 04-10-2024, 10:02 AM
Last Post: diederik
  cant verify mobian image at website gnugpg penguins_rule 0 750 03-18-2024, 08:54 PM
Last Post: penguins_rule
  mobian installed to eMMC - how to install tow-boot grump_fiddle_reinstall 6 3,627 11-22-2023, 11:46 AM
Last Post: aLoop100o
  What actions needed to keep on mobian testing user641 3 2,419 09-05-2023, 06:44 AM
Last Post: Zebulon Walton
  Mobian boot failed with zstd message after upgrade. Mahgue 0 924 09-01-2023, 11:29 AM
Last Post: Mahgue
  how to update mobian over tor vusra 13 8,840 07-09-2023, 08:57 PM
Last Post: vusra
  opensnitch outbound firewall now works on mobian vusra 2 2,318 07-09-2023, 01:37 AM
Last Post: vusra

Forum Jump:


Users browsing this thread: 1 Guest(s)