Firewall not working

UNPi4 · April 27, 2026 at 3:51 PM

Hallo.

Since several month I am working with the nightlyies. Current Version:

Linux LIBREELEC 6.18.21 #1 SMP Sat Apr 25 04:39:21 UTC 2026 aarch64 GNU/Linux

I wondered that the output of "iptables -L -v" is always empty but I had the firewall enabled in private mode. In the beginning I made my own firewall.service with a script. Then I tried a private nftables.service. The rules are loaded but "iptables -L -v" is not reflecting them.

So I startet exploring the problem a little bit:

The main probem may be the new integration with nftables and iptables as frontend. The current rules in /etc/iptables/* are not fully compatible. iptables is always ending up with errors. Beginning with a manual restore:

Code

< LIBREELEC:/etc/iptables # iptables-restore home.v4
iptables-restore v1.8.13 (nf_tables): unknown option "--reject-with"
Error occurred at line: 30
Try `iptables-restore -h' or 'iptables-restore --help' for more information. >

Code

<- -A private-subnets -j REJECT --reject-with icmp-port-unreachable
+ -A private-subnets -j DROP >

Code

<- -A private-subnets -j REJECT --reject-with icmp6-port-unreachable
+ -A private-subnets -j DROP >

After changing the code and saving it as /storage/.config/iptables/rules.v4(6) and editing the /storage/.cache/services/iptables.conf with "RULES=custom" at the very last end it is working :

Code

< LIBREELEC:~ # iptables -L -v
Chain INPUT (policy DROP 19 packets, 3806 bytes)
 pkts bytes target     prot opt in     out     source               destination
  134  232K ACCEPT     all  --  lo     any     anywhere             anywhere
 1768 1068K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  tether any     anywhere             anywhere             ctstate NEW
  154 54318 private-subnets  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  tether any     anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    tether  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 1882 packets, 624K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER-USER (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 private-subnets  all  --  any    any     anywhere             anywhere

Chain private-subnets (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth+   any     10.0.0.0/8           anywhere             ctstate NEW
    0     0 ACCEPT     all  --  eth+   any     172.16.0.0/12        anywhere             ctstate NEW
    0     0 ACCEPT     all  --  eth+   any     192.168.0.0/16       anywhere             ctstate NEW
    0     0 ACCEPT     all  --  en+    any     10.0.0.0/8           anywhere             ctstate NEW
    0     0 ACCEPT     all  --  en+    any     172.16.0.0/12        anywhere             ctstate NEW
    0     0 ACCEPT     all  --  en+    any     192.168.0.0/16       anywhere             ctstate NEW
    0     0 ACCEPT     all  --  wl+    any     10.0.0.0/8           anywhere             ctstate NEW
    0     0 ACCEPT     all  --  wl+    any     172.16.0.0/12        anywhere             ctstate NEW
  135 50512 ACCEPT     all  --  wl+    any     192.168.0.0/16       anywhere             ctstate NEW
    0     0 ACCEPT     all  --  tether any     10.0.0.0/8           anywhere             ctstate NEW
    0     0 ACCEPT     all  --  tether any     172.16.0.0/12        anywhere             ctstate NEW
    0     0 ACCEPT     all  --  tether any     192.168.0.0/16       anywhere             ctstate NEW
    0     0 ACCEPT     all  --  docker+ any     10.0.0.0/8           anywhere             ctstate NEW
    0     0 ACCEPT     all  --  docker+ any     172.16.0.0/12        anywhere             ctstate NEW
    0     0 ACCEPT     all  --  docker+ any     192.168.0.0/16       anywhere             ctstate NEW
>

Display More

If I made any mistakes please correct me. Hope that helps.

**heitbaum** · April 28, 2026 at 2:45 PM

Updated files, dropping the --reject-with from REJECT rules for nf_tables compatibility - PR raised https://github.com/LibreELEC/LibreELEC.tv/pull/11225

**chewitt** · April 28, 2026 at 3:02 PM

PR is merged

UNPi4 · May 6, 2026 at 3:39 PM

I am sorry, but I think I must reopen this report. Working with LibreELEC-RPi4.aarch64-13.0-nightly-20260502-e9fe4f0.img.gz and the acutal code, I still get this:

Code

LIBREELEC:/etc/iptables # ls
README     home.v4    home.v6    public.v4  public.v6
LIBREELEC:/etc/iptables # iptables-restore home.v4
iptables-restore v1.8.13 (nf_tables): Chain 'REJECT' does not exist
Error occurred at line: 31
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
LIBREELEC:/etc/iptables # ip6tables-restore home.v6
ip6tables-restore v1.8.13 (nf_tables): Chain 'REJECT' does not exist
Error occurred at line: 21
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
LIBREELEC:/etc/iptables # iptables-restore public.v4
iptables-restore v1.8.13 (nf_tables): Chain 'REJECT' does not exist
Error occurred at line: 18
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
LIBREELEC:/etc/iptables # ip6tables-restore public.v6
ip6tables-restore v1.8.13 (nf_tables): Chain 'REJECT' does not exist
Error occurred at line: 17
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Display More

Maybe this is the reason:

Code

LIBREELEC:/etc/iptables # modprobe xt_REJECT
modprobe: FATAL: Module xt_REJECT not found in directory /lib/modules/6.18.21

So for now I think DROP is a alternative option. Hope that helps

**heitbaum** · May 10, 2026 at 3:18 AM

https://github.com/LibreELEC/LibreELEC.tv/pull/11304 Should fix it. There was a series of so files missing

Quote

/usr/lib/xtables/libip6t_frag.so
/usr/lib/xtables/libip6t_dst.so
/usr/lib/xtables/libip6t_srh.so
/usr/lib/xtables/libip6t_icmp6.so
/usr/lib/xtables/libip6t_SNPT.so
/usr/lib/xtables/libipt_ttl.so
/usr/lib/xtables/libipt_CLUSTERIP.so
/usr/lib/xtables/libipt_ah.so
/usr/lib/xtables/libip6t_NETMAP.so
/usr/lib/xtables/libip6t_eui64.so
/usr/lib/xtables/libipt_ECN.so
/usr/lib/xtables/libipt_realm.so
/usr/lib/xtables/libipt_icmp.so
/usr/lib/xtables/libipt_NETMAP.so
/usr/lib/xtables/libip6t_hl.so
/usr/lib/xtables/libip6t_mh.so
/usr/lib/xtables/libipt_REJECT.so
/usr/lib/xtables/libip6t_rt.so
/usr/lib/xtables/libip6t_REJECT.so
/usr/lib/xtables/libip6t_hbh.so
/usr/lib/xtables/libip6t_ipv6header.so
/usr/lib/xtables/libipt_TTL.so
/usr/lib/xtables/libip6t_ah.so
/usr/lib/xtables/libip6t_DNPT.so
/usr/lib/xtables/libipt_ULOG.so
/usr/lib/xtables/libip6t_HL.so

Display More