Aug 5, 2024: iRedMail-1.7.1 has been released.

**KNERD** · 2024-06-17 04:00:51

KNERD
Member
Offline

Registered: 2019-01-25
Posts: 68

Topic: Safe method to switch from nftables to iptables?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): latest release
- Deployed with iRedMail Easy or the downloadable installer? Downloaded
- Linux/BSD distribution name and version: Debian 12
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?

====

Is there a means to safely switch from nftables to iptables?

I am testing some testing with a virtual machine to try switch out nftables with iptables and it is not going so well.

Anyone got one tips?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2024-06-17 11:24:04

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,978

Re: Safe method to switch from nftables to iptables?

Setup a new VM with nftables support, copy its config file for switch.

**KNERD** · 2024-06-17 12:51:51

KNERD
Member
Offline

Registered: 2019-01-25
Posts: 68

Re: Safe method to switch from nftables to iptables?

ZhangHuangbin wrote:

Setup a new VM with nftables support, copy its config file for switch.

I don't understand what you mean by that.

I have tried shutting down nftables, installed iptables, and added the rules for iptables, but nothing is happening except getting blocked by the firewall

systemctl stop nftables
systemctl disable nftables
apt install iptables iptables-persistent
systemctl enable netfilter-persistent
systemctl start netfilter-persistent

iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

I see the rule added in iptables-save, but can't SSH in.

then try ports 80,443 and unable to access RoundCube

**Cthulhu** · 2024-06-17 21:20:55

Cthulhu
Member
Offline

Registered: 2019-06-04
Posts: 870

Re: Safe method to switch from nftables to iptables?

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

try this

**KNERD** · 2024-06-18 00:04:36

KNERD
Member
Offline

Registered: 2019-01-25
Posts: 68

Re: Safe method to switch from nftables to iptables?

Cthulhu wrote:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

try this

I reset the virtual machine back to the point where iRedMail has been newly installed

The issues I am facing keep changing. Last attempt I got totally blocked out from the server from the outside.

Now starting over iptables (nt_tables) is not even blocking anything at this point.

Okay, I finally got it.

Thanks for the input!

**ZhangHuangbin** · 2024-06-18 11:25:44

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,978

Re: Safe method to switch from nftables to iptables?

KNERD wrote:

Last attempt I got totally blocked out from the server from the outside.

I guess it's blocked by Fail2ban service.

**KNERD** · 2024-06-19 08:34:53

KNERD
Member
Offline

Registered: 2019-01-25
Posts: 68

Re: Safe method to switch from nftables to iptables?

ZhangHuangbin wrote:

KNERD wrote:
Last attempt I got totally blocked out from the server from the outside.
I guess it's blocked by Fail2ban service.

I got it working, however I ran into an issue, and I am not sure it is related.

I am getting a 504 Gateway time-out when trying to access RoundCube

Looking at the error log, I am seeing upstream timeouts from

[error] 3358#3358: *33 upstream timed out (110: Connection timed out) while connecting to upstream

request: "GET /mail/ HTTP/2.0", upstream: "fastcgi://127.0.0.1:9999",

I see the following running.
loaded (/lib/systemd/system/php8.2-fpm.service; enabled; preset: enabled)

Any ideas on this?

I think it is a firewall issue. It seems I cannot ping, or connect to anything Ipv4

**Cthulhu** · 2024-06-19 18:16:21

Cthulhu
Member
Offline

Registered: 2019-06-04
Posts: 870

Re: Safe method to switch from nftables to iptables?

did you open loopback interface?

pls post full iptables config file which was created by iptaples save
aswell, you need to create a config file for ipv6 aswell, if you didnt fully disable ipv6

Aug 5, 2024: iRedMail-1.7.1 has been released.

Safe method to switch from nftables to iptables?

Posts: 8

1 Topic by KNERD 2024-06-17 04:00:51

Topic: Safe method to switch from nftables to iptables?

2 Reply by ZhangHuangbin 2024-06-17 11:24:04

Re: Safe method to switch from nftables to iptables?

3 Reply by KNERD 2024-06-17 12:51:51

Re: Safe method to switch from nftables to iptables?

4 Reply by Cthulhu 2024-06-17 21:20:55

Re: Safe method to switch from nftables to iptables?

5 Reply by KNERD 2024-06-18 00:04:36 (edited by KNERD 2024-06-18 02:10:58)

Re: Safe method to switch from nftables to iptables?

6 Reply by ZhangHuangbin 2024-06-18 11:25:44

Re: Safe method to switch from nftables to iptables?

7 Reply by KNERD 2024-06-19 08:34:53 (edited by KNERD 2024-06-19 10:26:58)

Re: Safe method to switch from nftables to iptables?

8 Reply by Cthulhu 2024-06-19 18:16:21 (edited by Cthulhu 2024-06-19 23:46:36)

Re: Safe method to switch from nftables to iptables?

Posts: 8