Unable to configure network firewall (UFW)

fProgrammer · February 9, 2025, 4:08pm

Hello,
Is anyone able to get ufw running?
I get error stating missing kernel-modules

$ sudo /usr/share/ufw/check-requirements
Has python: pass (binary: python3, version: 3.10.12, py3)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? Y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... iptables v1.8.7 (nf_tables):  RULE_INSERT failed (No such file or directory): rule in chain ufw-check-requirements
ERROR: could insert RETURN rule into 'ufw-check-requirements'. Aborting
WARN: detected other firewall applications:
 firewalld
(if enabled, these applications may interfere with ufw)

FAIL: check your kernel and that you have iptables >= 1.4.0

djkabutar · February 10, 2025, 1:08pm

Can you tell us in which kernel you are getting this errors?

fProgrammer · February 10, 2025, 1:36pm

Sure, here is the output of uname

$ uname -a
Linux haedus 5.10.230-axon axon SMP Mon Jan 6 12:31:30 IST 2025 aarch64 aarch64 aarch64 GNU/Linux

djkabutar · February 11, 2025, 7:37am

Try doing

sudo apt update && sudo apt upgrade

We have updated the kernel modules with netfilter support.

fProgrammer · February 11, 2025, 9:43am

Hi, thanks for providing the upgrades.
I think some modules are still missing even with latest upgrades.

Here’s the output now:

$ sudo /usr/share/ufw/check-requirements
Has python: pass (binary: python3, version: 3.10.12, py3)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? Y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load target `REJECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
LOG: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load target `LOG':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
hashlimit: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `hashlimit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
limit: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `limit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): FAIL (no runtime support)
error was: iptables v1.8.7 (legacy): Couldn't load match `recent':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (new, recent update): FAIL (no runtime support)
error was: iptables v1.8.7 (legacy): Couldn't load match `recent':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (new, limit): FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `limit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
interface (input): pass
interface (output): pass
multiport: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `multiport':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
comment: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass

== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: FAIL
error was: ip6tables v1.8.7 (nf_tables): Chain 'REJECT' does not exist
Try `ip6tables -h' or 'ip6tables --help' for more information.
LOG: FAIL
error was: ip6tables v1.8.7 (nf_tables): Chain 'LOG' does not exist
Try `ip6tables -h' or 'ip6tables --help' for more information.
hashlimit: FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `hashlimit':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
limit: FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `limit':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): FAIL (no runtime support)
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `recent':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
ctstate (new, recent update): FAIL (no runtime support)
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `recent':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
ctstate (new, limit): FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `limit':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
interface (input): pass
interface (output): pass
multiport: FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `multiport':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
comment: FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (destination-unreachable): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (packet-too-big): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (time-exceeded): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (parameter-problem): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (echo-request): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (neighbor-solicitation): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (neighbor-advertisement): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (router-solicitation): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (router-advertisement): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
ipv6 rt: FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `rt':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

FAIL: check your kernel and that you have iptables >= 1.4.0
FAIL: check your kernel and iptables for additional runtime support

I used a iptables legacy, even then it throws an error:

$ sudo /usr/share/ufw/check-requirements
Has python: pass (binary: python3, version: 3.10.12, py3)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? Y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load target `REJECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
LOG: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load target `LOG':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
hashlimit: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `hashlimit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
limit: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `limit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): FAIL (no runtime support)
error was: iptables v1.8.7 (legacy): Couldn't load match `recent':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (new, recent update): FAIL (no runtime support)
error was: iptables v1.8.7 (legacy): Couldn't load match `recent':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (new, limit): FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `limit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
interface (input): pass
interface (output): pass
multiport: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `multiport':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
comment: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass

== IPv6 ==
Creating 'ufw-check-requirements6'... modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/5.10.230-axon
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ERROR: could not create 'ufw-check-requirements6'. Aborting
FAIL: check your kernel and that you have iptables >= 1.4.0
FAIL: check your kernel and iptables for additional runtime support

djkabutar · February 11, 2025, 12:17pm

We have again updated the kernel packages, you can do this way

sudo apt update
sudo apt reinstall linux-image-5.10.230-axon linux-headers-5.10.230-axon

fProgrammer · February 11, 2025, 2:15pm

I think that fixes it, thank you!

I am trying to install tun/tap interface, and the kernel seems to be missing iproute, can you please build and publish a new update again?
@djkabutar

Additionally, can you guide me how did you fix it? Which modules did you compile into the kernel?

Akshar · February 20, 2025, 11:55am

Okay we will do. And update you.

fProgrammer · February 19, 2026, 10:39am

Hello everyone,
sorry its almost a year and I think still some important kernel modules are missing in the axon kernel (v 6.1.75)

$ sudo modprobe tun
modprobe: FATAL: Module tun not found in directory /lib/modules/6.1.75-axon

Because of this, I’m unable to run any tunnel services on vicharak like tailscale .

$ sudo systemctl status  --full tailscaled 
● tailscaled.service - Tailscale node agent
     Loaded: loaded (/lib/systemd/system/tailscaled.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2026-02-19 11:37:54 CET; 179ms ago
       Docs: https://tailscale.com/kb/
   Main PID: 170617 (tailscaled)
      Tasks: 14 (limit: 9331)
     Memory: 63.7M
        CPU: 251ms
     CGroup: /system.slice/tailscaled.service
             ├─170617 /usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tai>
             └─170639 dpkg-query --search -- kernel/drivers/net/tun.ko

Feb 19 11:37:54 haedus tailscaled[170617]: logpolicy: using $STATE_DIRECTORY, "/var/lib/tailscale"
Feb 19 11:37:54 haedus tailscaled[170617]: dns: [resolved-ping=yes rc=resolved resolved=file nm=yes nm-r>
Feb 19 11:37:54 haedus tailscaled[170617]: dns: using "systemd-resolved" mode
Feb 19 11:37:54 haedus tailscaled[170617]: creating dns cleanup: route ip+net: no such network interface
Feb 19 11:37:54 haedus tailscaled[170617]: linuxfw: clear iptables: could not get iptables version: exit>
Feb 19 11:37:54 haedus tailscaled[170617]: linuxfw: clear ip6tables: could not get iptables version: exi>
Feb 19 11:37:54 haedus tailscaled[170617]: cleanup: list tables: socket: protocol not supported
Feb 19 11:37:54 haedus tailscaled[170617]: wgengine.NewUserspaceEngine(tun "tailscale0") ...
Feb 19 11:37:54 haedus tailscaled[170617]: Linux kernel version: 6.1.75-axon
Feb 19 11:37:54 haedus tailscaled[170617]: is CONFIG_TUN enabled in your kernel? `modprobe tun` failed

Can someone suggest how do I build these modules for axon? Or can vicharak put it in their headers please?

Thanks !