dbaba 1 Posted April 21, 2021 (edited) I tested ufw and nftables on the latest release. But no luck. Tinker Board 2 team, could you please tell me how to enable firewall on this OS? Using ufw After adding a simple rule to ufw, I got the following error when I enabled it. linaro@linaro-alip:/lib/modules/4.4.194$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y ERROR: problem running ufw-init modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/4.4.194 iptables-restore v1.8.2 (nf_tables): line 22: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 23: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 24: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 25: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 26: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 27: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 29: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 30: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 31: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 32: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 33: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 34: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 36: RULE_APPEND failed (No such file or directory): rule in chain FORWARD line 41: RULE iptables-restore v1.8.2 (nf_tables): Couldn't load match `conntrack':No such file or directory Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. iptables-restore v1.8.2 (nf_tables): line 5: RULE_APPEND failed (No such file or directory): rule in chain ufw-skip-to-policy-input line 6: RULE_APPEND failed (No such file or directory): rule in chain ufw-skip-to-policy-output line 7: RULE_APPEND failed (No such file or directory): rule in chain ufw-skip-to-policy-forward iptables-restore v1.8.2 (nf_tables): Couldn't load match `conntrack':No such file or directory Error occurred at line: 25 Try `iptables-restore -h' or 'iptables-restore --help' for more information. iptables-restore v1.8.2 (nf_tables): unknown option "--dport" Error occurred at line: 19 Try `iptables-restore -h' or 'iptables-restore --help' for more information. iptables-restore v1.8.2 (nf_tables): unknown option "--dport" Error occurred at line: 19 Try `iptables-restore -h' or 'iptables-restore --help' for more information. iptables-restore v1.8.2 (nf_tables): Chain 'ufw-before-input' does not exist ip6tables-restore v1.8.2 (nf_tables): line 22: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 23: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 24: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 25: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 26: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 27: RULE_APPEND failed (No such file or directory): rule in chain INPUT line 29: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 30: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 31: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 32: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 33: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 34: RULE_APPEND failed (No such file or directory): rule in chain OUTPUT line 36: RULE_APPEND failed (No such file or directory): rule in chain FORWARD line 41: RULE ip6tables-restore v1.8.2 (nf_tables): Couldn't load match `conntrack':No such file or directory Error occurred at line: 2 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. ip6tables-restore v1.8.2 (nf_tables): line 5: RULE_APPEND failed (No such file or directory): rule in chain ufw6-skip-to-policy-input line 6: RULE_APPEND failed (No such file or directory): rule in chain ufw6-skip-to-policy-output line 7: RULE_APPEND failed (No such file or directory): rule in chain ufw6-skip-to-policy-forward ip6tables-restore v1.8.2 (nf_tables): Couldn't load match `rt':No such file or directory Error occurred at line: 24 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. ip6tables-restore v1.8.2 (nf_tables): unknown option "--dport" Error occurred at line: 19 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. ip6tables-restore v1.8.2 (nf_tables): unknown option "--dport" Error occurred at line: 19 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. ip6tables-restore v1.8.2 (nf_tables): Chain 'ufw6-before-input' does not exist Problem running '/etc/ufw/before.rules' Problem running '/etc/ufw/after.rules' Problem running '/etc/ufw/user.rules' Problem running '/etc/ufw/before6.rules' Problem running '/etc/ufw/after6.rules' Problem running '/etc/ufw/user6.rules' Using nftables I uninstalled ufw then installed nftables. And tried to set a simple rule which is just allowing loopback incoming access. #!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; iifname "lo" accept } chain forward { type filter hook forward priority 0; } chain output { type filter hook output priority 0; } } Then I started nftables service but the service didn't start. syslog showed the following message. Apr 21 07:06:36 linaro-alip nft[2149]: /etc/nftables.conf:8:17-35: Error: Could not process rule: No such file or directory Apr 21 07:06:36 linaro-alip nft[2149]: iifname "lo" accept Apr 21 07:06:36 linaro-alip nft[2149]: ^^^^^^^^^^^^^^^^^^^ Apr 21 07:06:36 linaro-alip systemd[1]: nftables.service: Failed with result 'exit-code'. Apr 21 07:06:36 linaro-alip systemd[1]: Failed to start nftables. Are netfilter kernel modules installed? Got the following output. Some of netfilter modules are included in the builtin kernel. Not sure if the list covers all required modules. linaro@linaro-alip:~$ cat /lib/modules/$(uname -r)/modules.builtin | grep nf_tables kernel/net/ipv4/netfilter/nf_tables_ipv4.ko kernel/net/ipv4/netfilter/nf_tables_arp.ko kernel/net/ipv6/netfilter/nf_tables_ipv6.ko kernel/net/netfilter/nf_tables.ko kernel/net/netfilter/nf_tables_inet.ko kernel/net/netfilter/nf_tables_netdev.ko Edited April 21, 2021 by dbaba Share this post Link to post Share on other sites
Pirate 3 Posted April 22, 2021 (edited) I am also having same issue trying to install UFW linaro@linaro-alip:/lib/modules/4.4.194$ sudo ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y ERROR: problem running ufw-init modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/4.4.194 I made sure module is enabled: /etc/default/ufw IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns" Edited April 22, 2021 by Pirate Share this post Link to post Share on other sites
Pirate 3 Posted April 22, 2021 Perhaps UFW does not work on Debian 10 due to Debian 10 moving from iptables to nftables? https://serverfault.com/questions/1006981/ufw-replacement-or-workaround-for-debian-10 Share this post Link to post Share on other sites
Pirate 3 Posted April 22, 2021 (edited) I've made some progress: I purge ufw and iptables, then install iptables first then change to iptables-legacy. after that install ufw. ufw seems to works only on iptables-legacy. apt purge ufw iptables apt install iptables update-alternatives --set iptables /usr/sbin/iptables-legacy update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy apt install ufw now: root@linaro-alip:~# ufw allow ssh ERROR: initcaps [Errno 2] modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/4.4.194 ip6tables v1.8.2 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. Maybe ip6tables are missing in kernel? root@linaro-alip:~# sudo modprobe ip6_tables modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/4.4.194 root@linaro-alip:~# ^C root@linaro-alip:~# sudo modprobe ip6tables modprobe: FATAL: Module ip6tables not found in directory /lib/modules/4.4.194 Edited April 22, 2021 by Pirate 1 Share this post Link to post Share on other sites
Pirate 3 Posted April 22, 2021 More progress: update-alternatives --set ip6tables /usr/sbin/ip6tables-nft Now, errors: root@linaro-alip:~# ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y ERROR: problem running ufw-init modprobe: FATAL: Module nf_conntrack_netbios_ns not found in directory /lib/modules/4.4.194 iptables-restore v1.8.2 (legacy): Couldn't load match `limit':No such file or directory Error occurred at line: 63 Try `iptables-restore -h' or 'iptables-restore --help' for more information. iptables-restore v1.8.2 (legacy): unknown option "--log-prefix" Error occurred at line: 24 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ip6tables-restore v1.8.2 (nf_tables): line 22: RULE_APPEND failed (No such file or directory): rule in chain INPUT Share this post Link to post Share on other sites
dec 0 Posted March 20, 2022 Did anyone ever figure this out? I'm just trying a basic operation with stock Tinker_Board-Debian-Buster-v3.0.11-20211026 image, but I immediately run in to this issue... I just want to list out what the existing NAT table is... iptables -t nat -L -n -v But I get this error... iptables v1.8.2 (nf_tables): CHAIN_ADD failed (No such file or directory): chain PREROUTING Any idea? Share this post Link to post Share on other sites
tooz 47 Posted February 6, 2023 hello @dec, this is fixed in more recent releases, i've tested with v.2.1.6 and can confirm it works os images can be downloaded here: Tinker Board (asus.com) Share this post Link to post Share on other sites
