22.03 How to install iptables?

sjkhsl · January 6, 2023, 8:13am

How can I install iptables into 22.03 when compiling locally? After I copied the 21.02 package/network/utils/iptables folder to 22.03, an error was reported when compiling! Can't it be used directly? What needs to be modified?

RouterHints.com · January 6, 2023, 8:31am

The question is: WHY would you want to use the legacy/obsolete I-tables when the rest of the world moved on to nftables and actually BPF.

hnyman · January 6, 2023, 8:35am

22.03 uses the nftables based firewall4 instead of the old iptables firewall.
That's why you get problems if you try to use old package selections.

You should likely check your build recipe and drop/modify the iptables related stuff as needed.

sjkhsl · January 6, 2023, 9:02am

It is important for me to use mwan3, and under nftables, the rules are not enforced correctly!

sjkhsl · January 6, 2023, 9:04am

It is too radical to disconnect iptables and use nftables at once, and many plug-ins are not very compatible with nftables. If it can be used normally, there is no need to work hard to install iptables

RouterHints.com · January 6, 2023, 9:28am

The switch was actually slowly since 2016! ALL main distros have switched (Debian Ubuntu Arch etc) since at least 2021.

So I would actually blame outdated (not properly maintained) packages / plugins.
For specifically mwan3, I know that Florian (the package maintainer) was (is?) trying to update the scripts to nftables.

Not sure what other plugins you are referring to. But for mwan3 I would open another topic like "port mwan3 to nftables and remove iptables dependencies". That doesn't help your problem now, but hopefully that will start the ball rolling for everyone else who is also using mwan3.

BTW: what compile error(s) are you getting.

Let me try to compile it myself to see why it doesn't work compiled from source.

lantis1008 · January 6, 2023, 10:08am

Don't do this.
Just select iptables-zz-legacy as a package. You can examine the Makefile of the 22.03 iptables for the new package names. You would also want to downgrade from firewall4 to firewall (which is firewall3).

There are equivalents for ip6tables, ebtables, arptables etc as well.

sjkhsl · January 6, 2023, 5:48pm

make[3]: Entering directory '/home/sjkhsl/openwrt-22.03/package/network/utils/iptables'
touch /home/sjkhsl/openwrt-22.03/build_dir/target-x86_64_musl/linux-x86_64/iptables-1.8.7/.prepared_dac2cb90182ac6a33c6d827e2e7d9127_6664517399ebbbc92a37c5bb081b5c53_check
. /home/sjkhsl/openwrt-22.03/include/shell.sh; bzcat /home/sjkhsl/openwrt-22.03/dl/iptables-1.8.7.tar.bz2 | tar -C /home/sjkhsl/openwrt-22.03/build_dir/target-x86_64_musl/linux-x86_64/iptables-1.8.7/.. -xf -
[ ! -d ./src/ ] || cp -fpR ./src/. /home/sjkhsl/openwrt-22.03/build_dir/target-x86_64_musl/linux-x86_64/iptables-1.8.7

Applying ./patches/010-add-set-dscpmark-support.patch using plaintext:
patching file extensions/libxt_CONNMARK.c
patching file include/linux/netfilter/xt_connmark.h

Applying ./patches/020-treewide-use-uint-instead-of-u_int.patch using plaintext:
patching file extensions/libxt_conntrack.c
patching file include/libipq/libipq.h
patching file include/libiptc/libxtc.h
patching file include/linux/netfilter_arp/arpt_mangle.h
patching file iptables/xshared.c
Hunk #1 FAILED at 1025.
1 out of 1 hunk FAILED -- saving rejects to file iptables/xshared.c.rej
patching file iptables/xshared.h
Hunk #1 FAILED at 80.
1 out of 1 hunk FAILED -- saving rejects to file iptables/xshared.h.rej
patching file libipq/ipq_create_handle.3
patching file libipq/ipq_set_mode.3
Patch failed!  Please fix ./patches/020-treewide-use-uint-instead-of-u_int.patch!
make[3]: *** [Makefile:664: /home/sjkhsl/openwrt-22.03/build_dir/target-x86_64_musl/linux-x86_64/iptables-1.8.7/.prepared_dac2cb90182ac6a33c6d827e2e7d9127_6664517399ebbbc92a37c5bb081b5c53] Error 1
make[3]: Leaving directory '/home/sjkhsl/openwrt-22.03/package/network/utils/iptables'
time: package/network/utils/iptables/compile#0.20#0.07#0.25
    ERROR: package/network/utils/iptables failed to build.
make[2]: *** [package/Makefile:116: package/network/utils/iptables/compile] Error 1
make[2]: Leaving directory '/home/sjkhsl/openwrt-22.03'
make[1]: *** [package/Makefile:110: /home/sjkhsl/openwrt-22.03/staging_dir/target-x86_64_musl/stamp/.package_compile] Error 2
make[1]: Leaving directory '/home/sjkhsl/openwrt-22.03'
make: *** [/home/sjkhsl/openwrt-22.03/include/toplevel.mk:231: world] Error 2

Copy iptables from the lede repository

bluewavenet · January 6, 2023, 6:59pm

It's far better to select iptables-nft as a package and leave firewall4 in place. Then just about all packages will work including mwan3 as well as nft compatible packages.
It pretty successfully gives the best of both worlds with only very few problems.

sjkhsl · January 7, 2023, 8:55am

Thanks for the guide, it worked!

sjkhsl · January 7, 2023, 9:03am

I will pay attention! Thank you for your contributions!

sjkhsl · January 7, 2023, 9:04am

Coincidentally, there is a problem with the way I use it!

tmomas · January 9, 2023, 9:13am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

anorman · February 24, 2024, 1:10am

Why would I want to use legacy iptables?

Tell me how to do this in nft and then I'll consider moving as these type commands are used throughout my entire network to protect it.. What is the equivalent in nft???

-A INPUT -p tcp -m state --state NEW -m tcp --dport 1967 -m recent --set --name knocked --mask 255.255.255.255 --rsource