jovanpn 0 Posted January 15 Hi, I'm trying to set firewall rules using iptables (tried also with nftables) but I'm having troubles with some options. I want to add this rule for example: iptables -t mangle -A PREROUTING -p tcp ! -s 127.0.0.1 --dport 8080 -j MARK --set-mark 1 but then I get error iptables v1.8.7 (legacy): unknown option "--set-mark". If I translate command to nftables: nft 'add rule ip mangle PREROUTING ip saddr != 127.0.0.1 tcp dport 8080 counter meta mark set 0x1' then I'm getting error Error: Could not process rule: No such file or directory which points to the counter word. After some extensive research, it seems that some modules are not loaded. Is someone familiar with this problem and are there some solution with this Debian version or I will have to wait for some new Debian release? Share this post Link to post Share on other sites
tooz 47 Posted January 16 hello @jovanpn, here's a tutorial on how to set the firewall on debian 11 that might be helpful: How To Set Up a Firewall with UFW on Debian 11 | DigitalOcean Share this post Link to post Share on other sites
jovanpn 0 Posted January 16 Hi @tooz thank you for your response! UFW, as it is described by Debian Wiki page (UFW Debian Wiki page) is just a frontend for iptables, so I doubt UFW will be of any help. This seems to be a functional error and as I mentioned in my question above, some of the iptables modules are not loaded (or even not installed on the system). This same rule works fine on Debian 10 with kernel 4.19 (system image version 2.1.16). If I execute this command cat /proc/net/ip_tables_matches on both system versions, on Debian 10 kernel 4.19 I get a far longer list of modules than on Debian 11 kernel 5.10. Back in 2021 I had the very same problem with Debian 10 for Tinker Board 2S version 2.0.0 as I posted it here: and back then I got it resolved with new version of Debian 10 when it was released. Share this post Link to post Share on other sites
tooz 47 Posted January 17 hello @jovanpn, i'll check and see if we've missed out something in the defconfig, if so this will be fixed in the next release. Share this post Link to post Share on other sites
tooz 47 Posted January 18 hello @jovanpn, i've compiled a beta boot.img (file name boot.1.img) with a couple of more configs enabled, please give it a try and let me know https://www.asuswebstorage.com/navigate/a/#/s/11FC555055EA4D0288030C09125440F24 to replace the boot.img: check the partition orders from the parameter.txt in the v.3.0.11 image file, in this case the boot.img is the 4th CMDLINE: mtdparts=rk29xxnand:0x00002000@0x00004000(uboot),0x00002000@0x00006000(trust),0x00002000@0x00008000(misc),0x00020000@0x0000a000(boot),0x00040000@0x0002a000(recovery),0x00010000@0x0006a000(backup),0x00020000@0x0007a000(userdata),-@0x0009a000(rootfs:grow) uuid:rootfs=614e0000-0000-4b53-8000-1d28000054a9 on tinker board 2s: sudo lsblk replace the fourth partition (boot.img) with boot.1.img sudo dd bs=4M if=/path/to/boot.1.img of=/dev/mmcblk1p4 status=progress && sync reboot and check if the changes work Share this post Link to post Share on other sites
jovanpn 0 Posted January 18 Hi @tooz thank you very much for your response and effort! I can confirm that now iptables work correctly. However, I still have problem with nftables and adding the rule: nft 'add rule ip mangle PREROUTING ip saddr != 127.0.0.1 tcp dport 8080 counter meta mark set 0x1' causes me to get the same error Error: Could not process rule: No such file or directory with pointers pointing to the counter word in the command. Maybe you could take a look at this article https://unix.stackexchange.com/a/667830 I found. First of all, I can live with iptables solution, but I thought to switch to nftables because it is now a default firewall since Debian 10. The reason I wrote about both errors (with iptables and nftables) is that I thought these two are somehow connected, but I see now they are not. One thing I noticed is that nftables package is not installed by default in this image file like it is described on Debian website. And I also tried working with nftables on fresh Debian 11 desktop installation on my PC which worked perfectly. nftables package was installed by default and I didnt have to configure anything with it, just add rules which all worked without any error. What is your opinion on replicating the same setup with nftables within the next release of Debian 11 for Tinker Board 2S? Share this post Link to post Share on other sites
tooz 47 Posted January 19 hello @jovanpn, thanks for the information, please give a try on boot.2.img: https://www.asuswebstorage.com/navigate/a/#/s/9A55AA4C9F5E4B878AA751052AC080CC4 this boot.img contains the nft configurations we're planning to enable for the next release Share this post Link to post Share on other sites
jovanpn 0 Posted January 19 Hi @tooz thank you again for your effort. Unfortunately, nftables error remains. I now tried to write fresh Debian 11 image v3.0.11 on Tinker Board, then I applied your boot.2.img image, rebooted Tinker Board, then I updated the Debian with latest updates and then installed the nftables package. And in the end I started adding firewall rules and got the result from the picture below. Share this post Link to post Share on other sites
