Warning: iptables-legacy tables present

I have migrated my Ubuntu Focal server firewall backend from legacy iptables to netfilter, by running update-alternatives --set iptables /usr/sbin/iptables-nft and rebooting the server. Now all tables shown in iptables-legacy -S are empty, but when I run iptables -S the last line always says:

# Warning: iptables-legacy tables present, use iptables-legacy to see them

I have since removed iptables-legacy from alternatives using the following command:

update-alternatives --remove iptables /usr/sbin/iptables-legacy

And now only the netfilter version is shown

root@iBug-Server:~# update-alternatives --display iptables
iptables - auto mode
  link best version is /usr/sbin/iptables-nft
  link currently points to /usr/sbin/iptables-nft
  link iptables is /usr/sbin/iptables
  slave iptables-restore is /usr/sbin/iptables-restore
  slave iptables-save is /usr/sbin/iptables-save
/usr/sbin/iptables-nft - priority 20
  slave iptables-restore: /usr/sbin/iptables-nft-restore
  slave iptables-save: /usr/sbin/iptables-nft-save

How can I get rid of this warning?

Asked By: iBug

||

As the error messages says, it’s because the legacy (non-netfilter) iptables subsystem is present. The most common cause is that the iptables-legacy command is called, which loads the legacy modules.

There are 5 modules related to legacy iptables, one for each table. (Note: The module names begin with iptable_, no S here)

iptable_filter
iptable_nat
iptable_mangle
iptable_raw
iptable_security

When ANY of them is loaded, iptables-nft decides that the legacy iptables is present, and emits the said warning.

Similarly, there are 5 more modules for legacy IPv6 iptables, each beginning with ip6table_ (no S here, too).

After migrating to netfilter, those 10 modules can be safely removed with rmmod and blacklisted.

Note again that using blacklist iptable_filter doesn’t work here because this directive only prevents automatic loading, but not manual loading via modprobe(8) or another command. This solution using install <modulename> /bin/false should correctly prevent the module from loading under any circumstances.

Answered By: iBug

I got this warning after selecting the docker package when running the Ubuntu 22.04 installer. (I did not get this when I skipped selecting packages and installed Docker manually.)

After migrating to netfilter, those 10 modules can be safely removed with rmmod and blacklisted.

If any rule causes one of the 10 modules to be used, when you attempt to remove the module you will get an error such as

# modprobe -r iptable_nat
modprobe: FATAL: Module iptable_nat is in use.

To completely get rid of # Warning: iptables-legacy tables present, I needed to wipe out completely iptables, ip6tables, iptables-legacy and ip6tables-legacy. Examine all four and check if anything from the pair of legacys needs to be incorporated into the respective non-legacy pair. Below, I am using the saved non-legacys files after determining that I did not need to incorporate any deltas from the legacys.

iptables-save > iptables-save.txt
ip6tables-save > ip6tables-save.txt
iptables-legacy-save > iptables-legacy-save.txt
ip6tables-legacy-save > ip6tables-legacy-save.txt

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -F
iptables -X

ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -F
ip6tables -X

iptables-legacy -P INPUT ACCEPT
iptables-legacy -P FORWARD ACCEPT
iptables-legacy -P OUTPUT ACCEPT
iptables-legacy -t nat -F
iptables-legacy -t nat -X
iptables-legacy -t mangle -F
iptables-legacy -t mangle -X
iptables-legacy -F
iptables-legacy -X

ip6tables-legacy -P INPUT ACCEPT
ip6tables-legacy -P FORWARD ACCEPT
ip6tables-legacy -P OUTPUT ACCEPT
ip6tables-legacy -t nat -F
ip6tables-legacy -t nat -X
ip6tables-legacy -t mangle -F
ip6tables-legacy -t mangle -X
ip6tables-legacy -F
ip6tables-legacy -X

for x in _raw _mangle _security _nat _filter; do
    modprobe -r "iptable${x}"
    modprobe -r "ip6table${x}"
done

iptables-restore < iptables-save.txt
ip6tables-restore < ip6tables-save.txt

You will also want to run

update-alternatives --remove iptables /usr/sbin/iptables-legacy

Please consult other resources about update-alternatives, migrating from iptables to nft, and the security ramifications of completely clearing iptables when the machine is connected to the network. If you have Docker installed, you will not be able to apt-get purge iptables because it is a dependency of docker-ce.

Answered By: natskvi