CPANEL_INFO: Please note that Way to the Web Ltd. (the company behind ConfigServer) has announced it will close permanently on August 31, 2025. However, their free scripts will remain available under the GPLv3 license. For more details, see:
ConfigServer Services Announcement
Symptoms
On servers using AlmaLinux 9 and CloudLinux 9, attempting to start the nftables service fails with an error similar to the following, causing the stored firewall rules to not be loaded into the firewall:
CONFIG_TEXT: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
Cause
Some firewall rules are still added via the iptables command, and are converted to the new nftables format by scripts provided by the iptables-nft package that is installed on AlmaLinux 9. However, some of the rules that are generated by this script cannot be reloaded when stored in a configuration file.
We've opened an internal case for our development team to investigate this further. For reference, the case number is CPANEL-46555. Follow this article to receive an email notification when a solution is published in the product.
Resolution
The default cPanel Firewall Rules are not impacted by this issue, however, some features provided by cPanel such as the SMTP Restrictions, as well as other firewalls such as CSF and Imunify360, may result in these additional rules being added to the configuration. That said, all of these firewalls and services are able to restore their configuration when they restart, and thus do not need to be listed in the default NFTables configuration. As such, a minimal set of firewall rules can be stored in the NFTables configuration to allow the service to start successfully.
To regenerate a default NFTables configuration, please follow these steps.
- Stop the firewall service
# systemctl stop imunify360
- Move aside the current firewall rules:
# mv -v /etc/sysconfig/nftables.conf{,.bak}
- Flush the current firewall:
# nft flush ruleset
- Rebuild the default cPanel firewall configuration:
# /scripts/configure_firewall_for_cpanel
- Export the current firewall configuration to the default location:
# nft list ruleset > /etc/sysconfig/nftables.conf
- Restart the firewall service:
# systemctl restart imunify360
- Stop the firewall service
# csf -x
- Move aside the current firewall rules:
# mv -v /etc/sysconfig/nftables.conf{,.bak}
- Flush the current firewall:
# nft flush ruleset
- Rebuild the default cPanel firewall configuration:
# /scripts/configure_firewall_for_cpanel
- Export the current firewall configuration to the default location:
# nft list ruleset > /etc/sysconfig/nftables.conf
- Restart the firewall service:
# csf -e
- Move aside the current firewall rules:
# mv -v /etc/sysconfig/nftables.conf{,.bak}
- Flush the current firewall:
# nft flush ruleset
- Rebuild the default cPanel firewall configuration:
# /scripts/configure_firewall_for_cpanel
- Export the current firewall configuration to the default location:
# nft list ruleset > /etc/sysconfig/nftables.conf
CPANEL_WARN: For direct assistance with the above steps, and to ensure full compatibility with your server, it is recommended to discuss these steps with your System Administrator.
Comments
0 comments
Article is closed for comments.