1

I am not a Linux guru, but I used to do it, but now I’m completely stuck.

I have Debian Jessie installed on the server, it worked fine, then someone of interns did something there and as a result, nftables was installed on the server.

After that, the list of services service --status-all began to be locked on exim4 and the next item hangs indefinitely - I suspect that it is a firewall. iptables -S also hangs endlessly.

Actually, I decided to remove nftables. I introduced apt-get remove nftables and apt-get purge nftables The system wrote that everything was deleted. But However, lsmod still has nf_tables processes:

root@b798:/sys/module# lsmod | grep -E '^ip|^nf' | sort
?ipmi_devintf           17053  0
ipmi_msghandler        39877  2 ipmi_devintf,ipmi_si
ipmi_si                48757  0
ip_tables              21711  0
ipt_REJECT             12465  0
nf_conntrack           91480  2 xt_conntrack,nf_conntrack_ipv4
nf_conntrack_ipv4      18448  1
nf_defrag_ipv4         12483  1 nf_conntrack_ipv4
nfnetlink              12989  11 nf_tables,nft_compat
nf_tables              54391  4 nf_tables_ipv4,nft_compat,nft_counter
nf_tables_ipv4         12621  4
nft_compat             12980  1
nft_counter            12523  1

Also, I see nftables folders in /sys/module:

drwxr-xr-x   6 root root 0 Nov  8 10:22 nf_conntrack
drwxr-xr-x   6 root root 0 Nov  8 10:22 nf_conntrack_ipv4
drwxr-xr-x   5 root root 0 Nov  8 10:22 nf_defrag_ipv4
drwxr-xr-x   5 root root 0 Nov  8 10:22 nfnetlink
drwxr-xr-x   5 root root 0 Nov  8 10:16 nf_tables
drwxr-xr-x   5 root root 0 Nov  8 10:22 nf_tables_ipv4
drwxr-xr-x   5 root root 0 Nov  8 10:22 nft_compat
drwxr-xr-x   5 root root 0 Nov  8 10:22 nft_counter

And in /proc/modules

nf_conntrack_ipv4 30154 1 - Loading 0xffffffffa0498000
nf_defrag_ipv4 12483 1 nf_conntrack_ipv4, Live 0xffffffffa0493000
nft_counter 12523 1 - Live 0xffffffffa0486000
ipt_REJECT 12465 0 - Live 0xffffffffa0481000
xt_conntrack 12681 2 - Live 0xffffffffa048e000
nf_conntrack 91480 2 nf_conntrack_ipv4,xt_conntrack, Live 0xffffffffa0469000
nft_compat 12980 1 - Live 0xffffffffa0422000
nf_tables_ipv4 12621 4 - Live 0xffffffffa041d000
nf_tables 54391 4 nft_counter,nft_compat,nf_tables_ipv4, Live 0xffffffffa045a000
nfnetlink 12989 11 nft_compat,nf_tables, Live 0xffffffffa0412000

I want to remove modules from /sys/module, but I am afraid that this will finally break the system. All I want is to return a banal iptables without all sorts of newfangled nftables and others.

Please tell me at least the direction in which you need to look. Thank you!

UPD1: Oh, is log:

root@b798:/home/# systemctl status firewall
Warning: The unit file, source configuration file or drop-ins of firewall.service changed on disk. Run 'systemctl daemon-reload' to reload units.
● firewall.service - LSB: Start firewall
   Loaded: loaded (/etc/init.d/firewall; generated)
   Active: failed (Result: timeout) since Wed 2019-11-06 16:55:02 MSK; 1 day 20h ago
     Docs: man:systemd-sysv-generator(8)
  Process: 682 ExecStart=/etc/init.d/firewall start (code=killed, signal=TERM)
   CGroup: /system.slice/firewall.service
           └─711 iptables -F INPUT

Nov 06 16:50:02 b798 systemd[1]: Starting LSB: Start firewall...
Nov 06 16:55:02 b798 systemd[1]: firewall.service: Start operation timed out. Terminating.
Nov 06 16:55:02 b798 systemd[1]: firewall.service: Control process exited, code=killed, status=15/TERM
Nov 06 16:55:02 b798 systemd[1]: firewall.service: Failed with result 'timeout'.
Nov 06 16:55:02 b798 systemd[1]: Failed to start LSB: Start firewall.
Theo Vi
  • 21
  • 6
  • These are not all `nftables` modules, but partly `netfilter` modules included in the kernel (e.g. `nf_conntrack`), do not try to remove them. What is the real problem? That `service --status-all` hangs on exim4? I don't think that has something to do with firewall...check your logs. – Lenniey Nov 08 '19 at 10:13
  • But in another host(with the same version of Debian), I don't see these modules. Why? I can't set up my iptables firewall - this is a problem. I can't add or remove rules. And rules in /etc/init.d/firewall don't apply. At start system i see: Failed to start LSB: Start firewall. – Theo Vi Nov 08 '19 at 10:28
  • Attached status firewall. – Theo Vi Nov 08 '19 at 10:33
  • Did you run `systemctl daemon-reload` as advised? – Lenniey Nov 08 '19 at 10:39
  • Yes, I tried, but no result. – Theo Vi Nov 08 '19 at 10:42
  • Did you create the systemd unit `firewall.service` yourself? – Lenniey Nov 08 '19 at 10:46
  • No, I don't. I connected to the server after the intern worked on it. In general, I would like to leave with systemd and return to the base Debian, but I do not know how to do this. – Theo Vi Nov 08 '19 at 11:03
  • "Base Debian 8" comes with iptables, no other wrapper. – Lenniey Nov 08 '19 at 11:41
  • Yes, I know, it was so. But our intern somehow install systemd on Debian. Maybe i can revert to base Debian, from systemd? – Theo Vi Nov 08 '19 at 11:55
  • `systemd` has been the default since Debian 8 Jessie. – Lenniey Nov 08 '19 at 12:01
  • Oh. Sorry, I chose the wrong path of mind T_T – Theo Vi Nov 08 '19 at 12:09
  • FYI all you have to do to clear the active ruleset in nftables is run `nft flush ruleset` from the shell – Jose Fernando Lopez Fernandez Aug 15 '20 at 07:25

0 Answers0