Do we have a snap for iptables which works as expected

Do we have a snap for iptables which works as expected

iptables is quite dated … there is a snap to manage the newer netfilter firewalling though:

I saw that snap in store, however wanted to use iptables as it has ip forwarding feature. Not sure about UFW

Note, ufw still uses the iptables command behind the scenes, but will choose the nft or legacy backend as appropriate for the system.

As for the original question, iptables is available in the core, core18 and core20 base runtimes so all a snap needs to do is plugs ‘firewall-control’ and it is free to use them. A standalone snaps technically needs to only expose these commands. Consider the following snapcraft.yaml snippet:

name: test-iptables
version: "0"
architectures: [ all ]
summary: test-iptables summary
description: test-iptables description
   command: bin/
   - firewall-control

where bin/ contains:

exec /sbin/iptables "$@"

This gives you the start of an ‘iptables snap’ that would ‘work as expected’.

However, as mentioned, iptables is old and the iptables in core and core18 will only use xtables (aka, legacy), which should work on all kernels, but with the caveat that some newer systems will be configured to use the ‘nftables’ backend by default, and you don’t want to use both at the same time (ie, one application is adding netfilter rules and another xtables rules). For your snap to work everywhere, you would want to ship both an xtables legacy variant of iptables and an nftables variant, then detect at runtime which to use. This can be handled in different ways; the ufw snap chose to:

  • use base: core20 since that gives iptables-legacy and iptables-nft commands
  • maintain symlinks in a dir maintained by the snap and makes sure this dir is in the snap’s PATH

Hope this helps