iptables has been a part of linux for over 20 years now, and it’s starting to show its age. In fact, it has already been replaced by nftables as of kernel 3.13. As a consequence of this transitional period, you might run into some bumps along the road while maintaining your iptables based firewall. Here are a few examples Bailey and I discovered the other day while messing around with it on Kali.
More Than You Bargained For
Updating iptables on Kali will do far more than you might expect. In addition to installing nftables, you’ll also get something called iptables-legacy. This wouldn’t be so big of a deal if it weren’t for the fact that updating with iptables rules in place then kicks them all into iptables-legacy (still active) and clears your regular iptables. Just to add to the potential confusion, rebooting with netfilter-persistent enabled then restores those legacy rules into your regular ruleset.
So far these behaviors have only been observed on Kali and were not found when checked for on Debian and Ubuntu. If I find them anywhere else, I’ll post an update.