Mobian Firewall from iptables to nftables
#1
Hi,

my pinephone mobian CE is installed on emmc with FDE. The Mobian Doku tells me in the chapter "Firewall", that the current technology would be nftables.

I installed all available updates, but when I check the installed packages, my Mobian is still based on iptables.

# apt policy nftables
    Installed: (none)
    Candidate: 0.9.8-3

# apt policy iptables
    Installed: 1.8.7-1

I received my pinephone two weeks ago and used the installer as it came with.
Do I have to flash a newer Image to start with nftables instead of iptables?

As iptables is not configured jet.
# echo -e "\nIPv4:" && iptables -nvL && echo -e "\nIPv6:" && ip6tables -nvL && echo " "
  IPv4:
    Chain INPUT  (policy ACCEPT 0 packets, 0 bytes)
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    Chain OUTPUT  (policy ACCEPT 0 packets, 0 bytes)
  IPv6:
    Chain INPUT  (policy ACCEPT 0 packets, 0 bytes)
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    Chain OUTPUT  (policy ACCEPT 0 packets, 0 bytes)

I tried to replace it, but it seems to be impossible,-
# apt -s remove --purge  iptables
  The following packages will be REMOVED:
    iptables* mobian-base* mobian-phone-base* mobian-phosh-base* mobian-phosh-extras* mobian-phosh-phone*
  0 upgraded, 0 newly installed, 6 to remove and 0 not upgraded.
as that whould remove the phones GUI as well.

In the moment it looks to me that I could just disable and mask iptables and install and enable nftables.

Did I miss some documentation? Any ideas are appreciated.

Keep well and fit,
MicSpabo
PinePhone - Mobian (bullseye) CE
  Reply
#2
(02-22-2021, 05:48 AM)MicSpabo Wrote: Hi,

my pinephone mobian CE is installed on emmc with FDE. The Mobian Doku tells me in the chapter "Firewall", that the current technology would be nftables.

Hi there, I am the author of that part of the wiki :-). While Debian is indeed transitioning from iptables to nftables, iptables is still working fine (using nftables under the hood). As you might have seen, iptables is even pulled in by default by the mobian package. So feel free to still use iptables syntax.

I am currently reworking the text to give a brief introduction to a more userfriendly firewall, such as "ufw" which makes configuring firewalls a feasible task for mere mortals.
  Reply
#3
(02-22-2021, 08:00 AM)spaetz Wrote: Hi there, I am the author of that part of the wiki :-). While Debian is indeed transitioning from iptables to nftables, iptables is still working fine (using nftables under the hood). As you might have seen, iptables is even pulled in by default by the mobian package. So feel free to still use iptables syntax.

I am currently reworking the text to give a brief introduction to a more userfriendly firewall, such as "ufw" which makes configuring firewalls a feasible task for mere mortals.

Hi,

thanks for the background. You might be right with ufw for most of the users.

I already started playing around with nftables on Debian (testing) last year, as I expect it will sooner or later replace iptables.
As the pinephone is brand new I will try and mask iptables, and install nftables instead. So that I have one more
device to play around with the nftables.conf. The next mobian release might bring what I was just looking for.
Time will show.

So far I am quite impressed and I am happy to have nearly the same OS on my laptop as on the mobilephone.

Keep well and fit,
MicSpabo
PinePhone - Mobian (bullseye) CE
  Reply
#4
Hi,

it seems that its not as simple as I expected it.

# systemctl status iptables.service
  Unit iptables.service could not be found.

iptables is there but there is no service which I could mask.
# apt --fix-broken reinstall iptables
# systemctl reboot

# systemctl status iptables.service
  Unit iptables.service could not be found.

As iptables is not a service it cannot be disabled nor masked.
Looks like I have to go back into my rabit hole and RTFM. Blush

Keep well and fit,
MicSpabo
PinePhone - Mobian (bullseye) CE
  Reply
#5
I'm using the Linux firewall script I put together ages ago using iptables and it seems to be working just fine. (It actually started out as an ipchains script in ancient Linux from before iptables was released.) A complication is that both legacy iptables and the newer nftables are supported in recent Debian. With the latter, iptables to nftables translation takes place if you use iptables syntax. I set mine to legacy iptables using this guide:

https://wiki.debian.org/iptables

I then installed a systemd unit file to trigger the firewall script at boot time. Here's an example:

https://sleeplessbeastie.eu/2018/10/01/h...g-systemd/
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  bookworm vs trixie discussion for mobian in pinephone regular. zetabeta 15 1,512 03-25-2024, 09:07 AM
Last Post: anonymous
  cant verify mobian image at website gnugpg penguins_rule 0 70 03-18-2024, 08:54 PM
Last Post: penguins_rule
  mobian installed to eMMC - how to install tow-boot grump_fiddle_reinstall 6 1,710 11-22-2023, 11:46 AM
Last Post: aLoop100o
  What actions needed to keep on mobian testing user641 3 1,687 09-05-2023, 06:44 AM
Last Post: Zebulon Walton
  Mobian boot failed with zstd message after upgrade. Mahgue 0 580 09-01-2023, 11:29 AM
Last Post: Mahgue
  how to update mobian over tor vusra 13 6,540 07-09-2023, 08:57 PM
Last Post: vusra
  opensnitch outbound firewall now works on mobian vusra 2 1,798 07-09-2023, 01:37 AM
Last Post: vusra
  Using Nativefier on PP64 with Mobian paulcarton 0 577 07-05-2023, 03:57 AM
Last Post: paulcarton
  Has anyone got briar-desktop running on mobian? vusra 5 2,861 06-19-2023, 03:02 PM
Last Post: vusra
  Axolotl on PinePhone / Mobian arno_nuehm 219 160,112 03-26-2023, 01:49 AM
Last Post: shulamy

Forum Jump:


Users browsing this thread: 1 Guest(s)