How-To: Allowing Ports on UCS 5 Systems using iptables-nft and disabling iptables-legacy

Allow ports using ucr

You can allow ports using the following commands (in this example the tcp port 1194)

ucr set security/packetfilter/tcp/1194/all=ACCEPT
service univention-firewall restart

Link to manual

Remove the iptables-legacy port allowances

When configuring UCS 5 systems, it’s crucial to consider the proper use of iptables-nft for port allowance to avoid conflicts. If warnings like “Warning: iptables-legacy tables present, use iptables-legacy to see them” appear, it’s advisable to switch to iptables-nft to ensure smooth operation.

1. Removing all iptables-legacy port allowances

iptables-legacy -F

Note that a system restart is required as existing connections will be disrupted. This method is recommended if you prefer not to manually remove all allowances.

2. Gradual removal of individual port allowances

List the iptables-legacy rules with line numbers

iptables-legacy -L --line-numbers

and delete them individually using the command

iptables-legacy -D INPUT 1

replacing “1” with the corresponding chain number.
After removing the allowances, it’s essential to restart the system to ensure iptables-legacy is no longer in use.

Permanently disable iptables-legacy

To prevent potential issues, consider blacklisting the module using the command

ucr set kernel/blacklist='<existing_entry1>;'<existing_entry2>;iptable_filter'

Following a reboot, verify if iptables-legacy has been successfully disabled. Execute the command

iptables-legacy -L

and check for remaining modules using

lsmod | grep iptables_

as well as

grep -e iptable_filter -e iptables-legacy -rs /etc/ /lib/modules/$(uname -r)/
1 Like

This topic was automatically closed after 24 hours. New replies are no longer allowed.