Rules added via iptc - not found in iptables o/p

[renukamanavalan]

1) Created a rule via iptc.easy.insert_rule 2) Could see it in iptc.easy.dump_table 3) Did table.commit() 3) exit the python interpreter 4) Look in "sudo iptables -t nat -L" and unable to find this entry.

Any tips on, what I am missing please?

admin@str-s6000-acs-9:~/files$ sudo python3           
Python 3.7.3 (default, Jan 22 2021, 20:04:44) 
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import iptc
>>> table = iptc.Table("nat")
>>> chain = iptc.Chain(table, "OUTPUT")
>>> rule = {"dst": "172.16.1.1", "protocol": "tcp", "tcp": {"dport": 3128}, "target": {"DNAT": {"to-destination": "100.127.20.21:8080" }}}
>>> iptc.easy.insert_rule("nat", "OUTPUT", rule)
>>> iptc.easy.dump_table('nat', ipv6=False)
{'PREROUTING': [], 'INPUT': [], 'OUTPUT': [{'dst': '172.16.1.1/32', 'protocol': 'tcp', 'tcp': {}, 'target': {'DNAT': {'to-destination': '100.127.20.21:8080'}}, 'counters': (0, 0)}, {'dst': '172.16.1.1/32', 'protocol': 'tcp', 'tcp': {}, 'target': {'DNAT': {'to-destination': '100.127.20.21:8080'}}, 'counters': (0, 0)}], 'POSTROUTING': []}
>>> table.commit()
>>> quit()
admin@str-s6000-acs-9:~/files$ sudo iptables -t nat -L | grep 8080
# Warning: iptables-legacy tables present, use iptables-legacy to see them
admin@str-s6000-acs-9:~/files$ sudo iptables -t nat -L 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
KUBE-POSTROUTING  all  --  anywhere             anywhere             /* kubernetes postrouting rules */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain KUBE-MARK-DROP (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x8000

Chain KUBE-MARK-MASQ (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x4000

Chain KUBE-POSTROUTING (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             mark match ! 0x4000/0x4000
MARK       all  --  anywhere             anywhere             MARK xor 0x4000
MASQUERADE  all  --  anywhere             anywhere             /* kubernetes service traffic requiring SNAT */ random-fully

Chain KUBE-KUBELET-CANARY (0 references)
target     prot opt source               destination         
# Warning: iptables-legacy tables present, use iptables-legacy to see them
admin@str-s6000-acs-9:~/files$ 

[renukamanavalan]

print(table.autocommit) True

Just verified. Auto-commit is indeed true.

[jllorente]

If your iptables package has been compiled with "nf_tables" support, then you need to use "iptables-legacy" command instead.

$ sudo iptables -V
iptables v1.8.2 (nf_tables)
$ sudo iptables-legacy -t nat -L

Please try again and let me know

[renukamanavalan]

Thanks a lot. It did work.

Is there a plan to upgrade this package to use nf_tables ?

As other components are using the nf_tables (new/current default), my component need to be in sync.

[ldx]

A related thread and comment here: https://github.com/ldx/python-iptables/issues/306#issuecomment-652541318

[renukamanavalan]

Thank you, Vilmos!