I have extensive iptables rules including some to exclude known hackers. I use ipset to maintain a set of known IP addresses and --match-set DROP in my iptables rules.
Despite this, I still see entries in my maillog and Apache access log showing that packets from known bad IP addresses are still getting through.
How can this be?
Starting el8 the kernel has had nf_tables and the ‘iptables’ tool is a wrapper-to-nft that translates iptables syntax to nf_tables rules. (In fact, upstream kernel has had nf_tables since 3.13 and Red Hat did backport it into their el7 kernel in a RHEL 7 point update.)
el9 offers firewalld.service and nftables.service. Even if the iptables.service is still provided, it is very much deprecated.
You can see all the actual rules that are in the kernel with:
sudo nft list ruleset
Does anything in your active ruleset explain how things could get through?
The nf_tables has [named] sets and maps as alternative for ipsets.
1 Like
Thank you for this information.
When I moved from Centos to Rocky, I simply copied the iptables stuff across.
I shall follow the iptables to nftables migration guide and start again.