[RESOLVED] UFW & Iptables not working in Debian 10 minimal

milkboymilkboy OG
edited December 2019 in Technical

Man, my dive into Nat VM has not been kind...
one problem fixed another crop up...
Now on fresh debian 10 i cant start ufw

Is it Openvz problem?
not familiar with this module, google says openvz module
/lib/modules/3.10.0-957.12.2.vz7.86.2/modules.builtin.bin'

user@mrvm:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/3.10.0-957.12.2.vz7.86.2/modules.builtin.bin'
modprobe: FATAL: Module nf_conntrack_ftp not found in directory /lib/modules/3.10.0-957.12.2.vz7.86.2
modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/3.10.0-957.12.2.vz7.86.2/modules.builtin.bin'
modprobe: FATAL: Module nf_nat_ftp not found in directory /lib/modules/3.10.0-957.12.2.vz7.86.2
modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/lib/modules/3.10.0-957.12.2.vz7.86.2/modules.builtin.bin'
modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/3.10.0-957.12.2.vz7.86.2
iptables-restore: line 6 failed
iptables-restore: line 22 failed
iptables-restore v1.8.2 (nf_tables): Couldn't load match `conntrack':No such file or directory

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore: line 4 failed
iptables-restore: line 5 failed
iptables-restore: line 21 failed
iptables-restore v1.8.2 (nf_tables): unknown option "--dport"
Error occurred at line: 19
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore: line 10 failed
iptables-restore v1.8.2 (nf_tables): unknown option "--dport"
Error occurred at line: 21
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
iptables-restore v1.8.2 (nf_tables): Chain 'ufw-before-input' does not exist

Problem loading ipv6 (skipping)
Problem running '/etc/ufw/before.rules'
Problem running '/etc/ufw/after.rules'
Problem running '/etc/ufw/user.rules'

prior to reinstalling Debian 10, ufw on debian 8 and ubuntu 16.04 works
P.S. im on MRVM SG node, running freshly installed Debian 10

Tagged:

Comments

  • UFW is garbage and you should learn to setup iptables.

    Thanked by (1)Janevski

    My pronouns are like/subscribe.

  • milkboymilkboy OG
    edited December 2019

    @WSS I just need something fast for testing.
    i'm very lazy afterall
    hahaha.....

    Also, iptables (iptables-nft) seems not working too. iptables issue maybe?
    iptables-legacy not working too.

  • milkboymilkboy OG
    edited December 2019

    i figured it out,
    I purge ufw and iptables, then install iptables first then change to iptables-legacy.
    after that install ufw.
    ufw seems to works only on iptables-legacy.

  • With the last Debian 10/Buster template, just

    • apt install iptables
    • update-alternatives --set iptables /usr/sbin/iptables-legacy
    • update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

    Now ufw should work fine

  • InceptionHostingInceptionHosting Hosting ProviderOG

    The actual issue here is that iptables is not installed at all as standard in those templates.

    I am going to have to make a new template set with it included and distribute them, I think minimal went a bit far.

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • iptables-legacy? I thought iptables/netfilter was being replaced with something? :)

  • nftables is the default in buster, it seems

    The all seeing eye sees everything...

  • @terrorgen said:
    nftables is the default in buster, it seems

    Ah, so, iptables-legacy is just the regular iptables with a tag to identify that it is now considered legacy (nftables being the new) ...

  • @flips said:

    @terrorgen said:
    nftables is the default in buster, it seems

    Ah, so, iptables-legacy is just the regular iptables with a tag to identify that it is now considered legacy (nftables being the new) ...

    Yeah,old scripts, like the openvpn installer script, dont work with nftables, just tested it. need to change to iptables-legacy

    I guess it breaks not just UFW, but many of the old scripts that uses iptables.

  • InceptionHostingInceptionHosting Hosting ProviderOG

    I have found also that loading the modules on the host node which is el7 based for containers or be able to use nf* makes them incredibly unstable, I am sure it will be fixed over time.

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • SpeedBusSpeedBus Hosting ProviderOG

    is netfilter set to full for this container ?

    vzctl set VMID --netfilter full --save

    CrownCloud - Internet Services | Los Angeles, California | Frankfurt, Germany | Amsterdam, The Netherlands | Atlanta, Georgia | Miami, Florida

  • @milkboy said:

    @flips said:

    @terrorgen said:
    nftables is the default in buster, it seems

    Ah, so, iptables-legacy is just the regular iptables with a tag to identify that it is now considered legacy (nftables being the new) ...

    Yeah,old scripts, like the openvpn installer script, dont work with nftables, just tested it. need to change to iptables-legacy

    I guess it breaks not just UFW, but many of the old scripts that uses iptables.

    it feels very un-Debian to me... these (breaking of older scripts) should've been caught in testing or unstable and not being released to stable until most of the popular scripts made accommodations to nftables..

    The all seeing eye sees everything...

  • The cutover to nftables default is such a pain. Kubernetes also requires reverting to iptables-legacy.

  • edited December 2019

    @WSS said:
    UFW is garbage and you should learn to setup iptables.

    ^this.

    @milkboy said:
    Is it Openvz problem?

    Quite likely.
    Do it with iptables, no matter that you're on OpenVZ.

  • And after you learn iptables, now you can learn the "new hotness" that is nftables....

  • @WSS said:
    UFW is garbage and you should learn to setup iptables.

    Yes, but I think a loincloth is better than no clothes

    Deals and Reviews: LowEndBoxes Review | Avoid dodgy providers with The LEBRE Whitelist | Free hosting (with conditions): Evolution-Host, NanoKVM, FreeMach, ServedEZ | Get expert copyediting and copywriting help at The Write Flow

  • Janevski said: UFW is garbage and you should learn to setup iptables.

    i guess you did TL;DR.
    needed some quick and dirty method. i reinstall the OS on weekly basis to test software and find limitations of NAT VPS (I'm new to nat vps)

    poisson said: Yes, but I think a loincloth is better than no clothes

    Yup

    terrorgen said: it feels very un-Debian to me...

    feels like debian to me. I remember sytemd breaks a few things on jessie when it was release, it just takes time to iron out

Sign In or Register to comment.