How to get netfilter tables to persist between boot?
Closed this issue · 4 comments
Thanks for the utility, @r3nor. This has worked very well on my end.
I don't use netfilter for any other application and rely on uft for a firewall, so it took me a few boots to realize that the mullvad-ts table created by mtc conf is wiped on reboot. In a way, it's nice to have a blank slate on boot, but if I wanted for the tables to persist, would running the following commands be all I need?
nft list ruleset > /etc/nftables.conf
systemctl enable --now nftables
Any recommendations or best practices would help. Thanks again!
Hey, I don't really know how you would do it, but I can investigate if you still didn't find a way. Otherwise you can share how you did it :)
What I wrote above gets the tables to persist, for sure. For others who are tinkering: you may not be able to write to the file directly, so create it in your home dir and moved it to /etc/nftables.conf after backing up the original. On reboot, the mullvad-ts table should persist.
ufw also seems to still be working, but I should read up about how the firewalls are interacting to make sure there are no issues. I think the nftables daemon is just managing the filters for mullvad and tailscale, so it should be fine.
If you only want the Mullvad rules to persist, you shouldn't do nft list ruleset > /etc/nftables.conf.
Instead, in the mullvad-tailscale directory, do something like:
cat mullvad.rules | sudo tee -a /etc/nftables.conf
Thanks @edgar-vincent, that's much more sensible. Since I wasn't using nft for anything besides mullvad at the time, I think it worked out okay, but I'm glad you mentioned it.