Hallo.
Since several month I am working with the nightlyies. Current Version:
Linux LIBREELEC 6.18.21 #1 SMP Sat Apr 25 04:39:21 UTC 2026 aarch64 GNU/Linux
I wondered that the output of "iptables -L -v" is always empty but I had the firewall enabled in private mode. In the beginning I made my own firewall.service with a script. Then I tried a private nftables.service. The rules are loaded but "iptables -L -v" is not reflecting them.
So I startet exploring the problem a little bit:
The main probem may be the new integration with nftables and iptables as frontend. The current rules in /etc/iptables/* are not fully compatible. iptables is always ending up with errors. Beginning with a manual restore:
< LIBREELEC:/etc/iptables # iptables-restore home.v4
iptables-restore v1.8.13 (nf_tables): unknown option "--reject-with"
Error occurred at line: 30
Try `iptables-restore -h' or 'iptables-restore --help' for more information. ><- -A private-subnets -j REJECT --reject-with icmp-port-unreachable
+ -A private-subnets -j DROP ><- -A private-subnets -j REJECT --reject-with icmp6-port-unreachable
+ -A private-subnets -j DROP >After changing the code and saving it as /storage/.config/iptables/rules.v4(6) and editing the /storage/.cache/services/iptables.conf with "RULES=custom" at the very last end it is working 
:
< LIBREELEC:~ # iptables -L -v
Chain INPUT (policy DROP 19 packets, 3806 bytes)
pkts bytes target prot opt in out source destination
134 232K ACCEPT all -- lo any anywhere anywhere
1768 1068K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- tether any anywhere anywhere ctstate NEW
154 54318 private-subnets all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tether any anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- any tether anywhere anywhere ctstate RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 1882 packets, 624K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER-USER (0 references)
pkts bytes target prot opt in out source destination
0 0 private-subnets all -- any any anywhere anywhere
Chain private-subnets (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- eth+ any 10.0.0.0/8 anywhere ctstate NEW
0 0 ACCEPT all -- eth+ any 172.16.0.0/12 anywhere ctstate NEW
0 0 ACCEPT all -- eth+ any 192.168.0.0/16 anywhere ctstate NEW
0 0 ACCEPT all -- en+ any 10.0.0.0/8 anywhere ctstate NEW
0 0 ACCEPT all -- en+ any 172.16.0.0/12 anywhere ctstate NEW
0 0 ACCEPT all -- en+ any 192.168.0.0/16 anywhere ctstate NEW
0 0 ACCEPT all -- wl+ any 10.0.0.0/8 anywhere ctstate NEW
0 0 ACCEPT all -- wl+ any 172.16.0.0/12 anywhere ctstate NEW
135 50512 ACCEPT all -- wl+ any 192.168.0.0/16 anywhere ctstate NEW
0 0 ACCEPT all -- tether any 10.0.0.0/8 anywhere ctstate NEW
0 0 ACCEPT all -- tether any 172.16.0.0/12 anywhere ctstate NEW
0 0 ACCEPT all -- tether any 192.168.0.0/16 anywhere ctstate NEW
0 0 ACCEPT all -- docker+ any 10.0.0.0/8 anywhere ctstate NEW
0 0 ACCEPT all -- docker+ any 172.16.0.0/12 anywhere ctstate NEW
0 0 ACCEPT all -- docker+ any 192.168.0.0/16 anywhere ctstate NEW
>If I made any mistakes please correct me. Hope that helps.