How can I switch back to iptables from nftables after upgrading Debian or Ubuntu?

ConfigServer Security & Firewall (csf) currently supports using iptables interface so when upgrading to Debian 11, Ubuntu 20.04 LTS, or Ubuntu 22.04 LTS which uses nftables by default you must switch back to the iptables interface. Most of the newer OS support iptables-nft which provides a bridge to the nftables kernel API and infrastructure so using iptables isn't an issue.

Make sure that the iptables packages are installed:

# apt-get install iptables

There are two variants of the iptables command:

1. legacy: Often referred to as iptables-legacy.
2. nf_tables: Often referred to as iptables-nft.

The newer iptables-nft command provides a bridge to the nftables kernel API and infrastructure and is recommended if it is supported by your OS. You can find out which variant is in use by looking up the iptables version. For iptables-nft, the variant will be shown in parentheses after the version number, denoted as nf_tables:

# iptables -V
iptables v1.8.4 (nf_tables)

1. To view your alternatives for running iptables you can run the command: update-alternatives --config iptables

# update-alternatives --config iptables
There are 2 choices for the alternative iptables (providing /usr/sbin/iptables).

  Selection    Path                       Priority   Status
* 0            /usr/sbin/iptables-nft      20        auto mode
  1            /usr/sbin/iptables-legacy   10        manual mode
  2            /usr/sbin/iptables-nft      20        manual mode

Press <enter> to keep the current choice[*], or type selection number: 

2. Run the following commands to re-link any symbolic links:

ln -s /etc/alternatives/iptables /sbin/iptables 2>/dev/null
ln -s /etc/alternatives/iptables-save /sbin/iptables-save 2>/dev/null
ln -s /etc/alternatives/iptables-restore /sbin/iptables-restore 2>/dev/null
ln -s /etc/alternatives/ip6tables /sbin/ip6tables 2>/dev/null
ln -s /etc/alternatives/ip6tables-save /sbin/ip6tables-save 2>/dev/null
ln -s /etc/alternatives/ip6tables-restore /sbin/ip6tables-restore 2>/dev/null

3. Go to the Juggernaut Firewall -> Settings -> Binary Settings and press the default button at the bottom of the page to apply the correct iptables binary locations. 

Now everything should be switched over to iptables and CSF should function correctly.


  • nftables, iptables
  • 3 Users Found This Useful
Was this answer helpful?

Related Articles

How can I raise the open file limit for the login failure daemon?

The login failure daemon can crash if you are monitoring a lot of domains in Plesk and are...

How can I test to make sure that the OS has all the required kernel modules required for Juggernaut Firewall?

Test from the Juggernaut Extension You can run the firewall test by going to Juggernaut Firewall...

How can I adjust the attack triggers used by the login failure daemon?

To Adjust Login Failure Triggers Navigate to Juggernaut Firewall -> Settings -> Login...

Where are the configuration files for Juggernaut Firewall located?

Configuration files are located in the /etc/csf/ directory with the main firewall configuration...

How can I use Juggernaut Firewall to monitor a list of directories?

Enter the Directories You Want To Monitor Navigate to Juggernaut Firewall -> Settings ->...