OpenWrt Forum Archive

Topic: Are both iptables and firewall needed?

The content of this topic has been archived on 27 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I've never installed a firewall on my openwrt devices until now. I had prevented firewall from installing when installing iptables thinking the two were different firewalls.

# iptables -t nat -A POSTROUTING -o br-wan -j MASQUERADE
iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I then installed 'firewall' and things seem to work. Are both firewall and iptables needed in order to work?

(Last edited by projects on 30 Mar 2018, 06:07)

I never install package firewall. Only using my private rules for iptables.
Note, however, that you might need to install the required kernel modules yourself, as not all are
installed by default. I.e. conntrack is not always present by default, but might be auto installed when using firewall.

Yes, there must be something else installed that I've not noticed when also adding firewall. It only works when I install both packages.

May be, you need packages
kmod-ipt-conntrack
kmod-ipt-nat

to be installed.
May be, even
kmod-ipt-nat-extra
depending on, what you want to do.

(Last edited by augustus_meyer on 30 Mar 2018, 08:54)

The firewall package is just a series of scripts that use iptables to configure a firewall, according to the configuration at /etc/config/firewall; it also loads all needed kernel modules, and that is probably what you are missing, as the error says. You probably need to execute insmod iptable_nat or some other module before calling iptables.

I didn't have to do anything but install the firewall package and everything started working.
I wanted to ask in case I missed something. Seems to be working fine so I guess this question is moot.

Thanks for the input, it was appreciated.

This happened again. The solution was as mentioned above, installing

kmod-ipt-nat and kmod-ipt-nat-extra.

Now iptables commands for nat work.

Thanks again.

The discussion might have continued from here.