Completely remove ufw, delete all iptables chains and rules, for a fresh start with nftables firewall in Ubuntu MATE 19.04

Support & Help Requests
#1

Though I have gone through quite a few threads on AskUbuntu (1, 2, 3), and elsewhere, I'm little confuse on how to proceed.

I'd like to completely remove ufw, delete all iptables chains and rules, for a fresh start with nftables firewall in Ubuntu MATE 19.04

If I understand correctly (from the threads I have linked), I need to run the following:

sudo systemctl reset ufw

sudo systemctl disable ufw

sudo purge ufw gufw

sudo iptables -F

sudo iptables -Z

Then ?

for i in `iptables -L INPUT --line-numbers |grep '[0-9].*ufw' | cut -f 1 -d ' ' | sort -r `; do iptables -D INPUT $i ; done
for i in `iptables -L FORWARD --line-numbers |grep '[0-9].*ufw' | cut -f 1 -d ' ' | sort -r `; do iptables -D FORWARD $i ; done
for i in `iptables -L OUTPUT --line-numbers |grep '[0-9].*ufw' | cut -f 1 -d ' ' | sort -r `; do iptables -D OUTPUT $i ; done
for i in `iptables -L | grep 'Chain .*ufw' | cut -d ' ' -f 2`; do iptables -X $i ; done

The questions I have are:

(1) How do I "disable or deactivate" iptables so it doesn't interfere with Nftables firewall later on.

(2) In addition to removing ufw, should I remove iptables too:

sudo apt remove --auto-remove iptables

(3) Then proceed with installing and configuring nftables, is this the correct order?

Thanks a lot in advance.

#2

As far as I am aware, the actual firewall is a part of the linux kernel networking subsystem. Other 'firewalls' we are talking about are not firewalls themselves. They are just different configuration utilities for the only actual firewall.


In a perfect world you could use any of these utilities interchangeably. In the real world some of them can have their own configuration enforcement technique and several utilities enforcing their configurations can not be in an accord.
IMHO, the order of removal is irrelevant. And I am not sure that iptables have to be deleted. It looks like they are very basic and safe.

#3

@ugnvs thanks for the reply.

Just a little while ago, I removed ufw and gufw. Flushed iptables chains and rules. It now looks like this:

$ sudo iptables --line-numbers -L
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
$

Then enabled and started nftables.service. Also, I believe nftables is from the same team, Netfilter project who brought the iptables.

I do have some experience with nftables but on Debian 10 servers where, there were no ipatbles to begin with. So configuring nftables was not a problem to me (once proper iptables removal).

My main concern was that iptables chains and rules are removed properly, so they would not interfere with nfatbles.

Is there any way to know what set of rules are controlling network packet filtering etc... iptables or nftables?

I think my nftables.service is running OK:

$ sudo systemctl status nftables
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enab
   Active: active (exited) since Wed 2019-10-02 20:53:21 IST; 1h 11min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 503 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/S
 Main PID: 503 (code=exited, status=0/SUCCESS)

Oct 02 20:53:21 um systemd[1]: Started nftables.
Warning: Journal has been rotated since unit was started. Log output is incomplete or
$

$ sudo nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		iifname "lo" accept
		ip saddr 192.168.0.0/16 tcp dport ssh counter packets 0 bytes 0 accept
		ct state established,related accept
		tcp dport ssh ct state new limit rate 10/minute accept
		ct state invalid drop
		ip saddr 192.168.0.0/16 tcp dport ftp-data counter packets 0 bytes 0 accept
		ip saddr 192.168.0.0/16 tcp dport ftp counter packets 0 bytes 0 accept
		ip saddr 192.168.0.0/16 tcp dport ftps counter packets 0 bytes 0 accept
		ip saddr 192.168.0.0/16 tcp dport 40000-50000 counter packets 0 bytes 0 accept
		ip saddr 192.168.0.0/16 icmp type echo-request counter packets 1 bytes 84 accept
		icmp type echo-request counter packets 0 bytes 0 drop
		ip protocol igmp drop
		reject
		log flags all counter packets 0 bytes 0 drop
		log prefix "[nftables] Input Denied: " flags all counter packets 0 bytes 0 drop
	}
}
$

Here's my simple nftables.conf:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;

                iifname lo accept

                # ssh for internal network
                ip saddr 192.168.0.0/16 tcp dport 22 counter accept
                ct state established,related accept

                # Avoid brute force on ssh
                tcp dport 22 ct state new limit rate 10/minute accept

                # Early drop of invalid connections
                ct state invalid drop

                # VsFTPD
                ip saddr 192.168.0.0/16 tcp dport 20 counter accept
                ip saddr 192.168.0.0/16 tcp dport 21 counter accept
                ip saddr 192.168.0.0/16 tcp dport 990 counter accept
                ip saddr 192.168.0.0/16 tcp dport 40000-50000 counter accept

                # ICMP & IGMP
                ip saddr 192.168.0.0/16 icmp type echo-request counter accept
                icmp type echo-request counter drop
                ip protocol igmp drop

                # Everything else
                reject with icmpx type port-unreachable

                log flags all counter drop
                log prefix "[nftables] Input Denied: " flags all counter drop
    }
}
#4

Well, just give it a try! Add any rule, reboot and verify if it was loaded ok again.

I know the old way of making iptables to load configuration at OS startup, and do not know how that is being done today.
At least I see no track of iptables configuration in /etc and of iptables invocation in /etc/network/ scripts on my system. It looks like my iptables do not load any configuration at startup.

#5

Just changed a rule in nftables.conf, restarted the nftables.service, and yes it's working.

Thank you :slight_smile: