Iptables vs nft on default install

I’m so confused. So I have iptables-services package installed and have a working iptables firewall going.

Then I turned on Gnome’s wifi hotspot and saw in journalctl that it adds an NFT table for the shared wifi connection. But when I run systemctl status nftables it says it’s inactive and disabled. I looked through the iptables tables, and there’s nothing from the nft table that the hotspot adds automatically.

I enabled nftables with systemctl start nftables just to see if it picks up and starts processing the hotspot’s table, but I’m not sure how to check this.

Importantly, does Fedora need to have nftables enabled by default for the Gnome’s hotspot nftables masquerading table to work? Weirdly, the wifi hotspot does work without nftables enabled, but I’m getting weird packet drops on my iptables firewall, which may be due to the nftables not working and not picking up the Gnome’s hotspot nftables configuration.

Fedora uses Firewalld with nftables backend by default, so make sure to disable and stop the nftables and iptables services to avoid conflicts.

The Wi-Fi Hotspot feature works with Firewalld OOTB, however some tasks require customizing the configuration of NetworkManager due to overlapping functionality:
NetworkManager shared and port forwarding/routing - #3 by vgaetera

Ok, for those who don’t use firewalld ever since the moment you install Fedora, like ever ever ever, I used RedHat’s docs to test this hotspot’s nftables NAT rule (6.8. Debugging nftables rules Red Hat Enterprise Linux 7 | Red Hat Customer Portal). The nftables hotspot NAT rule does work, the counters show it functions. Notably, nftables.service is inactive during this, which I guess means it is just used to load the ruleset.

In addition, I think I discovered a security vulnerability. When Gnome sets up its wifi hotspot it obviously launches dnsmasq. /etc/dnsmasq.conf shows that you must turn off the TFTP server bundled with the dnsmasq because it’s on by default. Like, who knew you’d be running a TFTP server when you just wanted a Wifi hotspot?

The Wi-Fi Hotspot feature automatically creates the necessary firewall rules for traffic forwarding and masquerading, so adding custom rules is at least redundant if not detrimental.

TFTP related functionality in dnsmasq is disabled by default, even if you enable the Wi-Fi Hotspot.

Read the /etc/dnsmasq.conf, it binds to loopback interface by default, and it says you have to uncomment a line to “disable DHCP and TFTP” on that interface.

It looks like a misinterpretation.
Dnsmasq does not open the TFTP port by default.
You can easily verify this by checking the list of open sockets:

sudo ss -lnpAinet | grep -e dnsmasq

I just compiled dnsmasq locally real quick without TFTP, which is so nice and quick thanks to Fedora’s fedpkg. Just for the sake of peace of mind. It looks like Gnome launches dnsmasq specifically ignoring any configuration file, so just better to not even have to worry about anything.

It also says:

# Enable dnsmasq's built-in TFTP server
1 Like

Thank you.