Warning iptables use legacy

Installing and Using OpenWrt
1

hello i has this message when i put a script iptables to my firewall nftables

# Warning: iptables-legacy tables present, use iptables-legacy to see them
# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
# Warning: iptables-legacy tables present, use iptables-legacy to see them
# Warning: ip6tables-legacy tables present, use ip6tables-legacy to see them
root@OpenWrt:~#

it's important or no you think ?

my nft list ruleset is like this

root@OpenWrt:~# nft list ruleset
table ip mangle {
        chain dscptag {
                meta l4proto tcp # xt_connbytes # xt_comment counter packets 537 bytes 136827 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 22 bytes 2488 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 22 bytes 1672 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 63 bytes 9311 # xt_DSCP
                meta l4proto icmp # xt_comment counter packets 2034 bytes 146444 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 1 bytes 420 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 474 bytes 132399 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 135 bytes 8133 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
        }

        chain POSTROUTING {
                type filter hook postrouting priority mangle; policy accept;
                counter packets 52779 bytes 28555033 jump dscptag
        }

        chain FORWARD {
                type filter hook forward priority mangle; policy accept;
                # xt_comment counter packets 6924 bytes 1240122 # xt_DSCP
        }
}
table ip6 mangle {
        chain dscptag {
                meta l4proto tcp # xt_connbytes # xt_comment counter packets 1604 bytes 396292 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 4 bytes 384 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 6 bytes 658 # xt_DSCP
                meta l4proto icmp # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 210 bytes 47000 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 19 bytes 1656 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 744 bytes 185123 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 20 bytes 1554 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_connbytes # xt_comment counter packets 115 bytes 45193 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_connbytes # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 1 bytes 101 # xt_DSCP
                meta l4proto tcp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
                meta l4proto udp # xt_multiport # xt_comment counter packets 0 bytes 0 # xt_DSCP
        }

        chain POSTROUTING {
                type filter hook postrouting priority mangle; policy accept;
                counter packets 29451 bytes 12326651 jump dscptag
        }

        chain FORWARD {
                type filter hook forward priority mangle; policy accept;
                # xt_comment counter packets 5515 bytes 2523713 # xt_DSCP
        }
}
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy accept;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname { "br-lan", "lanveth" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname { "br-lan", "lanveth" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname { "br-lan", "lanveth" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump accept_to_lan
        }

        chain accept_from_lan {
                iifname { "br-lan", "lanveth" } counter packets 108 bytes 8214 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname { "br-lan", "lanveth" } counter packets 69 bytes 6764 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 61 bytes 5124 drop comment "!fw4: Drop-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 5 bytes 160 accept comment "!fw4: Allow-IGMP"
                ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter packets 1 bytes 180 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 9 bytes 1136 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 32 bytes 2232 accept comment "!fw4: Allow-ICMPv6-Input"
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump drop_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump drop_to_wan
        }

        chain accept_to_wan {
                oifname "wan" counter packets 1360 bytes 92883 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain drop_from_wan {
                iifname "wan" counter packets 3 bytes 124 drop comment "!fw4: drop wan IPv4/IPv6 traffic"
        }

        chain drop_to_wan {
                oifname "wan" counter packets 0 bytes 0 drop comment "!fw4: drop wan IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                iifname { "br-lan", "lanveth" } jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
                iifname "wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname { "br-lan", "lanveth" } jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
                oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
        }

        chain dstnat_lan {
                ip saddr 192.168.2.0/24 ip daddr 192.168.1.10 tcp dport 1024-65535 dnat ip to 192.168.2.160:1024-65535 comment "!fw4: DMZ (reflection)"
                ip saddr 192.168.2.0/24 ip daddr 192.168.1.10 udp dport 1024-65535 dnat ip to 192.168.2.160:1024-65535 comment "!fw4: DMZ (reflection)"
        }

        chain srcnat_lan {
                ip saddr 192.168.2.0/24 ip daddr 192.168.2.160 tcp dport 1024-65535 snat ip to 192.168.2.1 comment "!fw4: DMZ (reflection)"
                ip saddr 192.168.2.0/24 ip daddr 192.168.2.160 udp dport 1024-65535 snat ip to 192.168.2.1 comment "!fw4: DMZ (reflection)"
        }

        chain dstnat_wan {
                meta nfproto ipv4 tcp dport 1024-65535 counter packets 17 bytes 688 dnat ip to 192.168.2.160:1024-65535 comment "!fw4: DMZ"
                meta nfproto ipv4 udp dport 1024-65535 counter packets 57 bytes 17955 dnat ip to 192.168.2.160:1024-65535 comment "!fw4: DMZ"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
                iifname { "br-lan", "lanveth" } jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain helper_lan {
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type filter hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
        }
}
root@OpenWrt:~#

the script seems good but i'm not sure if too efficient or original iptables script

because now i has to firewall

iptables and nftables

anyone say me ? thanks

2

If you are running 22.03.xx or snapshot you need to do:

opkg update
opkg remove iptables
opkg install iptables-nft

Uninstalling any iptables dependent packages when doing the remove and reinstalling those packages after the iptables-nft install.

If you are running 21.03.xx then sorry you are stuck.

1 Like
3

i need this packages for my script

tc-full
kmod-sched-cake
kmod-sched
kmod-ifb
ip-full
kmod-veth
iptables-mod-ipopt
iptables-mod-conntrack-extra
kmod-tcp-bbr

I still have to do iptables-remove or not do you think?

4

Yes. Then install iptables-nft.

The two iptables-mod packages will work with iptables-nft.

Opkg will complain about them depending on iptables so it is safer to remove them first then reinstall after iptables-nft.

5

ok so I resume I install the packages above, then iptables-nft and then I delete iptables

thank you

i has only this packets

Capture d’écran 2022-05-17 à 21.00.36
Capture d’écran 2022-05-17 à 21.00.36731×384 38.6 KB

Capture d’écran 2022-05-17 à 21.02.29

6

This is either a release candidate or a snapshot. Luci gets itself very confused, but the packages you have installed look ok.

Ask your self the question: "Does your firewalling work as expected?"

1 Like
7

yes he works perfectly thanks again !

8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.