Hello Friends,
I have been using Raspberry Pi 4b 8gb as my home server for past 2+ years. I use official Debian 12 64 bit OS provided by Raspberry Pi Foundation with a console mode (no GUI) and headless (no dedicated display monitorsor keyboard etc). This machne runs on a 24x7 basis. I have the following server services enabled on my Raspberry Pi server -
a) ssh (for logging into the server from client machines.
b) sshfs ( I use it for enabling NAS acrosss home subnet)
c) wireguard vpn (I use it to connect to my NAS when I am roaming. I have a static ip issued by my isp for this, it is a full tunnel)
d) pihole (I use it as a network wide adblocker)
e) unbound recursive DNS server (for enhancing privacy)
f) nfs-server (service is used occassinally,otherwise disabled)
g) samba server (service is used occassinally,otherwise disabled)
h) mariadb (service is used occassinally,otherwise disabled)
i) webmin (for remote control)
j) php
k) ufw
l) a few more minor ones
All workstations in the home are wireguard vpn enabled, including my mobile devices. Packets from internet are forwarded via port in my home router. Everything said above is working well for past 2+ years .
I came to know recently that my Rasberry Pi server has both iptables and nftables installed. Not sure if they are working in parallel. Here is the output of dpkg command -
In my wireguard configuration file I have coded the PostUp and PostDown as follows in interace section, which basically makes use of iptables -Now my query is,
1. Am I running both iptables and nftables in parallel?
2. If yes, am I supposed to uninstall iptables, and swtich to nftables? I believe I have the following options in that case -
Option 1: Uninstall iptables and replace my existing PostUp and PostDown as follows to use nftablesOption 2: Uninstall iptables and replace my existing PostUp and PostDown as follows via ufwAlso I am looking forward for how to ensure current set of firewall rules are in place after changes if made. Any advise on the above situation shall help me take a right decision and will be very helpful. Should any additinal information is needed to respond on my query, kindly let me know. Thank you for your time and attention.
Regards
Ganesh
I have been using Raspberry Pi 4b 8gb as my home server for past 2+ years. I use official Debian 12 64 bit OS provided by Raspberry Pi Foundation with a console mode (no GUI) and headless (no dedicated display monitorsor keyboard etc). This machne runs on a 24x7 basis. I have the following server services enabled on my Raspberry Pi server -
a) ssh (for logging into the server from client machines.
b) sshfs ( I use it for enabling NAS acrosss home subnet)
c) wireguard vpn (I use it to connect to my NAS when I am roaming. I have a static ip issued by my isp for this, it is a full tunnel)
d) pihole (I use it as a network wide adblocker)
e) unbound recursive DNS server (for enhancing privacy)
f) nfs-server (service is used occassinally,otherwise disabled)
g) samba server (service is used occassinally,otherwise disabled)
h) mariadb (service is used occassinally,otherwise disabled)
i) webmin (for remote control)
j) php
k) ufw
l) a few more minor ones
All workstations in the home are wireguard vpn enabled, including my mobile devices. Packets from internet are forwarded via port in my home router. Everything said above is working well for past 2+ years .
I came to know recently that my Rasberry Pi server has both iptables and nftables installed. Not sure if they are working in parallel. Here is the output of dpkg command -
Code:
ganeshp@aga-rpi4bsvr:~ $ dpkg -l | grep -E 'iptables|nftables'ii iptables 1.8.9-2 arm64 administration tools for packet filtering and NATii libnftables1:arm64 1.0.6-2+deb12u2 arm64 Netfilter nftables high level userspace API libraryii libnftnl11:arm64 1.2.4-2 arm64 Netfilter nftables userspace API libraryii nftables 1.0.6-2+deb12u2 arm64 Program to control packet filtering rules by Netfilter projectCode:
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEPostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADECode:
ganeshp@aga-rpi4bsvr:~ $ sudo nft list table ip nat# Warning: table ip nat is managed by iptables-nft, do not touch!table ip nat { chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname "eth0" counter packets 620694 bytes 89865181 masquerade1. Am I running both iptables and nftables in parallel?
2. If yes, am I supposed to uninstall iptables, and swtich to nftables? I believe I have the following options in that case -
Option 1: Uninstall iptables and replace my existing PostUp and PostDown as follows to use nftables
Code:
PostUp = nft add rule ip filter forward iifname wg0 accept; nft add rule ip filter forward oifname wg0 accept; nft add rule ip nat postrouting oifname eth0 masqueradePostDown = nft delete rule ip filter forward iifname wg0 accept; nft delete rule ip filter forward oifname wg0 accept; nft delete rule ip nat postrouting oifname eth0 masqueradeCode:
PostUp = ufw allow in on %i from 10.77.8.0/24PostDown = ufw delete allow in on %i from 10.77.8.0/24Regards
Ganesh
Statistics: Posted by ganeshmallyap — Sat Nov 02, 2024 5:10 pm