Unable to configure network firewall (UFW)

fProgrammer · February 9, 2025, 4:08pm

Hello,
Is anyone able to get ufw running?
I get error stating missing kernel-modules

$ sudo /usr/share/ufw/check-requirements
Has python: pass (binary: python3, version: 3.10.12, py3)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? Y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... iptables v1.8.7 (nf_tables):  RULE_INSERT failed (No such file or directory): rule in chain ufw-check-requirements
ERROR: could insert RETURN rule into 'ufw-check-requirements'. Aborting
WARN: detected other firewall applications:
 firewalld
(if enabled, these applications may interfere with ufw)

FAIL: check your kernel and that you have iptables >= 1.4.0

djkabutar · February 10, 2025, 1:08pm

Can you tell us in which kernel you are getting this errors?

fProgrammer · February 10, 2025, 1:36pm

Sure, here is the output of uname

$ uname -a
Linux haedus 5.10.230-axon axon SMP Mon Jan 6 12:31:30 IST 2025 aarch64 aarch64 aarch64 GNU/Linux

djkabutar · February 11, 2025, 7:37am

Try doing

sudo apt update && sudo apt upgrade

We have updated the kernel modules with netfilter support.

fProgrammer · February 11, 2025, 9:43am

Hi, thanks for providing the upgrades.
I think some modules are still missing even with latest upgrades.

Here’s the output now:

$ sudo /usr/share/ufw/check-requirements
Has python: pass (binary: python3, version: 3.10.12, py3)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? Y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load target `REJECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
LOG: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load target `LOG':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
hashlimit: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `hashlimit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
limit: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `limit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): FAIL (no runtime support)
error was: iptables v1.8.7 (legacy): Couldn't load match `recent':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (new, recent update): FAIL (no runtime support)
error was: iptables v1.8.7 (legacy): Couldn't load match `recent':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (new, limit): FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `limit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
interface (input): pass
interface (output): pass
multiport: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `multiport':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
comment: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass

== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: FAIL
error was: ip6tables v1.8.7 (nf_tables): Chain 'REJECT' does not exist
Try `ip6tables -h' or 'ip6tables --help' for more information.
LOG: FAIL
error was: ip6tables v1.8.7 (nf_tables): Chain 'LOG' does not exist
Try `ip6tables -h' or 'ip6tables --help' for more information.
hashlimit: FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `hashlimit':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
limit: FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `limit':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): FAIL (no runtime support)
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `recent':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
ctstate (new, recent update): FAIL (no runtime support)
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `recent':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
ctstate (new, limit): FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `limit':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
interface (input): pass
interface (output): pass
multiport: FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `multiport':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
comment: FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `comment':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (destination-unreachable): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (packet-too-big): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (time-exceeded): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (parameter-problem): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (echo-request): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (neighbor-solicitation): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (neighbor-advertisement): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (router-solicitation): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (router-advertisement): FAIL
error was: ip6tables v1.8.7 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
ipv6 rt: FAIL
error was: ip6tables v1.8.7 (nf_tables): Couldn't load match `rt':No such file or directory

Try `ip6tables -h' or 'ip6tables --help' for more information.

FAIL: check your kernel and that you have iptables >= 1.4.0
FAIL: check your kernel and iptables for additional runtime support

I used a iptables legacy, even then it throws an error:

$ sudo /usr/share/ufw/check-requirements
Has python: pass (binary: python3, version: 3.10.12, py3)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? Y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load target `REJECT':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
LOG: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load target `LOG':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
hashlimit: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `hashlimit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
limit: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `limit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): FAIL (no runtime support)
error was: iptables v1.8.7 (legacy): Couldn't load match `recent':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (new, recent update): FAIL (no runtime support)
error was: iptables v1.8.7 (legacy): Couldn't load match `recent':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
ctstate (new, limit): FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `limit':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
interface (input): pass
interface (output): pass
multiport: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `multiport':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
comment: FAIL
error was: iptables v1.8.7 (legacy): Couldn't load match `comment':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass

== IPv6 ==
Creating 'ufw-check-requirements6'... modprobe: FATAL: Module ip6_tables not found in directory /lib/modules/5.10.230-axon
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ERROR: could not create 'ufw-check-requirements6'. Aborting
FAIL: check your kernel and that you have iptables >= 1.4.0
FAIL: check your kernel and iptables for additional runtime support

djkabutar · February 11, 2025, 12:17pm

We have again updated the kernel packages, you can do this way

sudo apt update
sudo apt reinstall linux-image-5.10.230-axon linux-headers-5.10.230-axon

fProgrammer · February 11, 2025, 2:15pm

I think that fixes it, thank you!

I am trying to install tun/tap interface, and the kernel seems to be missing iproute, can you please build and publish a new update again?
@djkabutar

Additionally, can you guide me how did you fix it? Which modules did you compile into the kernel?

Akshar · February 20, 2025, 11:55am

Okay we will do. And update you.