Lost access to server after installing nftables

Sid · June 20, 2026, 10:29pm

otm33 · June 20, 2026, 10:33pm

There are other jails : sudo fail2ban-client status

To see if your IP is banned by one of them : sudo fail2ban-client status <jail name>

but i have little hope.

What is the output of

yunohost firewall list

jarod5001 · June 20, 2026, 10:36pm

Can you try yunohost tools regen-conf --dry-run --with-diff ?

Sid · June 20, 2026, 10:37pm

tcp:

22
25
53
80
443
587
993
1935
5222
5269
22000

Sid · June 20, 2026, 10:40pm

`Info: The configuration file ‘/etc/cron.daily/node_update’ is expected to be deleted by regen-conf (category yunohost) but was kept back.
Warning: The configuration file ‘/etc/systemd/system/ntp.service.d/ynh-override.conf’ has been manually modified and will not be updated
Warning: The configuration file ‘/etc/apt/sources.list.d/extra_php_version.list’ has been manually modified and will not be updated
Info: The configuration file ‘/etc/apt/sources.list.d/yarn.list’ was removed manually, and will not be created
Success! The configuration would have been updated for category ‘dnsmasq’
apt:
applied:
pending:
/etc/apt/sources.list.d/extra_php_version.list:
diff: @@ -1 +1 @@
-deb Index of /php/ bookworm main
+deb [signed-by=/etc/apt/trusted.gpg.d/extra_php_version.gpg] Index of /php/ bookworm main
status: modified
/etc/apt/sources.list.d/yarn.list:
diff: @@ -0,0 +1 @@
+deb [signed-by=/etc/apt/trusted.gpg.d/yarn.gpg] https://dl.yarnpkg.com/debian/ stable main
status: removed
dnsmasq:
applied:
/etc/resolv.dnsmasq.conf:
diff: @@ -1,13 +1,13 @@
+nameserver 45.67.81.23
+nameserver 2a0c:e300::100
nameserver 2a0c:e300::101
-nameserver 194.150.168.168
+nameserver 89.234.141.66
+nameserver 194.0.5.3
nameserver 2a0c:e300::1337
nameserver 2a00:5881:8100:1000::3
-nameserver 89.234.141.66
+nameserver 2001:1608:10:25::1c04:b12f
+nameserver 185.233.100.101
+nameserver 2001:678:8::3
nameserver 2001:1608:10:25::9249:d69b
-nameserver 185.233.100.101
-nameserver 45.67.81.23
-nameserver 2001:678:8::3
-nameserver 2a0c:e300::100
nameserver 185.233.100.100
-nameserver 2001:1608:10:25::1c04:b12f
-nameserver 194.0.5.3
+nameserver 194.150.168.168
status: updated
pending:
yunohost:
applied:
pending:
/etc/cron.daily/node_update:
diff: @@ -1,3 +0,0 @@
-#!/bin/bash

-/opt/node_n/node_update.sh >> /opt/node_n/node_update.log
status: unmanaged
/etc/systemd/system/ntp.service.d/ynh-override.conf:
diff: @@ -1,3 +0,0 @@
-[Unit]
-ConditionCapability=CAP_SYS_TIME
-ConditionVirtualization=!container
status: modified

Sid · June 20, 2026, 10:50pm

Everything is working, just want to make sure its all secure (as it can be)…?

jarod5001 · June 20, 2026, 10:51pm

OK, nothing related to nftables but you might run yunohost tools regen-conf --force to fix them.

jarod5001 · June 20, 2026, 10:55pm

Try stopping nftables temporarily and retry connecting to your server. If it works, then we’ll need to refresh the nftables config, if not, then it’s not nftables fault

Sid · June 20, 2026, 11:01pm

Success! Configuration updated for ‘yunohost’
Success! Configuration updated for ‘apt’
Success! Configuration updated for ‘dnsmasq’
apt:
applied:
/etc/apt/sources.list.d/extra_php_version.list:
status: force-updated
/etc/apt/sources.list.d/yarn.list:
status: force-created
pending:
dnsmasq:
applied:
/etc/dnsmasq.d/spamhaus:
status: updated
/etc/resolv.dnsmasq.conf:
status: updated
pending:
yunohost:
applied:
/etc/cron.daily/node_update:
status: force-removed
/etc/systemd/system/ntp.service.d/ynh-override.conf:
status: force-removed
pending:

Sid · June 20, 2026, 11:06pm

It did work

otm33 · June 20, 2026, 11:08pm

Sid · June 20, 2026, 11:09pm

jarod5001 · June 21, 2026, 5:07am

Is nftables running correctly?
Does the diagnosis report anything?

Sid · June 21, 2026, 5:34am

I don’t really know how to tell if it’s working properly or not. The diagnostics doesn’t show anything outside of the normal faults:

https://paste.yunohost.org/raw/weposulece

tituspijean · June 21, 2026, 7:36am

Thank you for this thread. Based on what I read I have published a new version of the app that makes sure the blocklist is also deleted in the firewall when the app is deleted (sorry for that oversight!) v2026.05.09~ynh3 should be available in a few hours in the catalog.

It is indeed quite possible the remote IP addresses you were using were listed in the blocklists. Is it possible for you to check that? You can get these IP addresses by opening http://ipv4.yunohost.org and http://ipv6.yunohost.org. If you are not comfortable sharing them here, you may send me a DM. I will check they are not in the default blocklists.

(However, I have no idea why fail2ban crashed or was shut down…)

otm33 · June 21, 2026, 9:23am

Hi @tituspijean

I guess this is an effect of the override (afaiu) ?

● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; preset: enabled)
    Drop-In: /etc/systemd/system/fail2ban.service.d
             └─systemd-override-bind-nftables.conf

Systemd doc says PartOf is limited to stopping and restarting units; the comment in systemd-override-bind-nftables.conf say

# This override config restarts and reloads fail2ban when nftables is started/reloaded

(…but should be when nftables is restarted/reloaded, right?)

So systemctl stop nftables stops fail2ban but systemctl start nftables doesn’t start fail2ban.

Sid · June 21, 2026, 4:15pm

Can you help me refresh the nftables config?

jarod5001 · June 21, 2026, 9:29pm

This should have been taken care of by regen-conf, but you can still run :

nft -f /etc/nftables.conf
# This will list all the rules
nft list ruleset
# Reload nftables
systemctl reload nftables