Posted on by Tom

Replace iptables with nftables

Hi,

During the weekly patch of servers I ran into this error with vpn router running Rockylinux 9:-

$ sudo dnf -y upgrade
Last metadata expiration check: 2:08:32 ago on Thu 06 Feb 2025 19:34:19 GMT.
Error:
Problem 1: package iptables-services-1.8.10-4.1.el9.noarch from @System requires (iptables-libs = 1.8.10-4.el9 or iptables-libs = 1.8.10-4.el9_4), but none of the providers can be installed
- cannot install both iptables-libs-1.8.10-11.el9_5.x86_64 from baseos and iptables-libs-1.8.10-4.el9_4.x86_64 from @System
- cannot install the best update candidate for package iptables-services-1.8.10-4.1.el9.noarch
- cannot install the best update candidate for package iptables-libs-1.8.10-4.el9_4.x86_64
Problem 2: problem with installed package iptables-services-1.8.10-4.1.el9.noarch
- package iptables-services-1.8.10-4.1.el9.noarch from @System requires (iptables-libs = 1.8.10-4.el9 or iptables-libs = 1.8.10-4.el9_4), but none of the providers can be installed
- package iptables-services-1.8.10-4.1.el9.noarch from epel requires (iptables-libs = 1.8.10-4.el9 or iptables-libs = 1.8.10-4.el9_4), but none of the providers can be installed
- cannot install both iptables-libs-1.8.10-11.el9_5.x86_64 from baseos and iptables-libs-1.8.10-4.el9_4.x86_64 from @System
- package iptables-nft-1.8.10-11.el9_5.x86_64 from baseos requires iptables-libs(x86-64) = 1.8.10-11.el9_5, but none of the providers can be installed
- cannot install the best update candidate for package iptables-nft-1.8.10-4.el9_4.x86_64

I could exclude iptables-services and allow the server to update or wait for this package conflict to be resolved, I suspect an update from epel would resolve. I opted instead to take tiny steps in to using a more modern firewall. I considered firewalld, but decided the zones required would have made this more complicated than needed. See this old post, will give you an idea of what I mean. So I opted for nftables.

Some googling lead me to iptables-restore-translate and more specifically this.  These are the instructions specific to Rocky Linux 9.

$ sudo dnf remove iptables-services # allows dnf upgrade to proceed
$ sudo iptables-save > iptables-rules.txt # export the iptables rules
$ sudo iptables-restore-translate -f iptables-rules.txt > ruleset.nft # convert to nftables
$ sudo nft --file ruleset.nft # import the rules into nftables

# Now let's make these rules survive a reboot.
$ sudo nft list ruleset >/etc/sysconfig/nftables.conf
$ sudo systemctl enable --now nftables

# To see the rules, equivalent of iptables -S
$ sudo nft list ruleset

Thanks Tom.

P.S Please feel free to comment.

Sources:-
https://blog.programster.org/nftables-cheatsheet
https://forums.rockylinux.org/t/replacing-iptables-centos-7-with-firewalld-rocky-9/14790

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.