Question

3

Warning: iptables-legacy tables present

rated 0 times [ 3] [ 0] / answers: 1 / hits: 21878 / 2 Years ago, tue, june 7, 2022, 8:50:53

I have migrated my Ubuntu Focal server firewall backend from legacy iptables to netfilter, by running update-alternatives --set iptables /usr/sbin/iptables-nft and rebooting the server. Now all tables shown in iptables-legacy -S are empty, but when I run iptables -S the last line always says:

# Warning: iptables-legacy tables present, use iptables-legacy to see them

I have since removed iptables-legacy from alternatives using the following command:

update-alternatives --remove iptables /usr/sbin/iptables-legacy

And now only the netfilter version is shown

root@iBug-Server:~# update-alternatives --display iptables

iptables - auto mode

  link best version is /usr/sbin/iptables-nft

  link currently points to /usr/sbin/iptables-nft

  link iptables is /usr/sbin/iptables

  slave iptables-restore is /usr/sbin/iptables-restore

  slave iptables-save is /usr/sbin/iptables-save

/usr/sbin/iptables-nft - priority 20

  slave iptables-restore: /usr/sbin/iptables-nft-restore

  slave iptables-save: /usr/sbin/iptables-nft-save

How can I get rid of this warning?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

tionavocad

Add To Favorites

Follow

Total Points: 189

Total Questions: 101

Total Answers: 118

Location: Liechtenstein

Member since Wed, Dec 8, 2021

2 Years ago

tionavocad questions

1 Extracting winrar unlimited file size till disk is full

Tue, May 23, 23, 00:07, 1 Year ago

1 Can't mount ext4 partition with write permissions

Tue, Jan 17, 23, 20:38, 1 Year ago

1 How to add a folder with .desktop files?

Sun, Oct 10, 21, 04:50, 3 Years ago

1 Random DNS resolution outages, no idea what to try next. (20.04.02)

Thu, Mar 10, 22, 09:54, 2 Years ago

1 "No Wi-Fi Adapter Found" on Ubuntu 18.04 Lenovo Thinkpad T470

Fri, Aug 12, 22, 07:39, 2 Years ago

View All

answered 2 Years ago nerta · Accepted Answer

As the error messages says, it's because the legacy (non-netfilter) iptables subsystem is present. The most common cause is that the iptables-legacy command is called, which loads the legacy modules.

There are 5 modules related to legacy iptables, one for each table. (Note: The module names begin with iptable_, no S here)

iptable_filter

iptable_nat

iptable_mangle

iptable_raw

iptable_security

When ANY of them is loaded, iptables-nft decides that the legacy iptables is present, and emits the said warning.

Similarly, there are 5 more modules for legacy IPv6 iptables, each beginning with ip6table_ (no S here, too).

After migrating to netfilter, those 10 modules can be safely removed with rmmod and blacklisted.

Note again that using blacklist iptable_filter doesn't work here because this directive only prevents automatic loading, but not manual loading via modprobe(8) or another command. This solution using install <modulename> /bin/false should correctly prevent the module from loading under any circumstances.