Iptables vs nft

Fail safe boot. Mount_root. Change config. Reboot

I'm back in, restored the firmware.
So, the uci rules I ran locked me out I guess since I didn't run any additional ones.
Should I run them again and this time, not log out for any reason so I can find out what happened.

BTW, yes, kmod-ipt-nat is installed.

The problem was conflicting firewalls???

/etc/init.d/firewall stop; /etc/init.d/firewall disable

I turned off the firewall as suggested, entered my 5 rules and it works perfectly.
I'm really a little confused here.

>If you are absolutely sure about that, stop and disable fw4 to avoid "collisions" and run your 
>custom iptables rules (but not using /etc/firewall.user which doesn't even exist in this version).
>/etc/init.d/firewall stop; /etc/init.d/firewall disable

What does this mean, if I'm absolutely sure? If turning off this 'firewall' service lets me use iptables correctly, I would still have security on the device anyhow, would I not?


This means that no one here knows how your device is connected to the internet and it is up to you to decide if it is safe to stop the firewall service or not.

Define "correctly". If you think that blocking (http) access to the web interface of the device from the other end of the tunnel is enough security, then yes, you are using iptables correctly.

Note that everything else remains open…

1 Like

In case, you are willing to dive into generating your firmware from sources, you can avoid openwrts firewall completely, and use your own (old) iptables commands instead. Thats, what I am doing for years, because this is much easier when meddling around with seldom used packages, i.e. squid or coova-chilli, which either modify iptables themselves, or need complicated custom setups.
Works for me up to 22.03.04 incl. Might break in the future, though.

1 Like

I don't have to block port 80 since nothing is running on it but it was just for testing. I had initially forwarded port 80 to another device on the LAN and I guess forgot it there all this time due to testing.

In fact, I do build my own using image builder. I install iptables and specifically minus out firewall.
( iptables -firewall) etc.

To me, iptables has always been a firewall so I'm not sure what you mean by if I disable 'firewall' I would have no security.

OK, another "anti-fan" of openwrts firewall. Then, just because of curiosity, where/when/how do you load your iptable rules ?

1 Like

Not so much an anti-fan but wasn't even aware this was happening. As I showed, I installed iptables and specifically blocked firewall but it got installed anyhow. I've been thinking the problem was nft related all this time.

I simply use ssh to send iptables commands to the device.

Now that I've disabled the 'firewall' and using my iptables commands instead, all seems to be working as expected.

Try excluding the new firewall4 package next build.

1 Like

I'll do that, thank you.
$ opkg list-installed | grep fire
firewall4 - 2022-10-18