Allow ports using ucr
You can allow ports using the following commands (in this example the tcp port 1194)
ucr set security/packetfilter/tcp/1194/all=ACCEPT
service univention-firewall restart
Remove the iptables-legacy port allowances
When configuring UCS 5 systems, it’s crucial to consider the proper use of iptables-nft for port allowance to avoid conflicts. If warnings like “Warning: iptables-legacy tables present, use iptables-legacy to see them” appear, it’s advisable to switch to iptables-nft to ensure smooth operation.
1. Removing all iptables-legacy port allowances
iptables-legacy -F
Note that a system restart is required as existing connections will be disrupted. This method is recommended if you prefer not to manually remove all allowances.
2. Gradual removal of individual port allowances
List the iptables-legacy rules with line numbers
iptables-legacy -L --line-numbers
and delete them individually using the command
iptables-legacy -D INPUT 1
replacing “1” with the corresponding chain number.
After removing the allowances, it’s essential to restart the system to ensure iptables-legacy is no longer in use.
Permanently disable iptables-legacy
To prevent potential issues, consider blacklisting the module using the command
ucr set kernel/blacklist='<existing_entry1>;'<existing_entry2>;iptable_filter'
Following a reboot, verify if iptables-legacy has been successfully disabled. Execute the command
iptables-legacy -L
and check for remaining modules using
lsmod | grep iptables_
as well as
grep -e iptable_filter -e iptables-legacy -rs /etc/ /lib/modules/$(uname -r)/