7.2. Troubleshooting iptables

K3s, the Kubernetes environment recommended for the LOCKSS system, does not currently work with iptables version 1.8.0 or later in nf_tables mode via Alternatives, for instance in some Debian or Ubuntu systems 1. If configure-firewall (a script called by install-k3s) detects this situation, you will see a warning message and the following prompt 2:

Switch iptables to legacy mode via Alternatives?

Enter Y for "yes" and N for "no", or simply hit Enter to accept the proposed answer (displayed in square brackets).


If you opt out of the proposed remediation, K3s may malfunction.

The remediation attempted by configure-firewall is equivalent to:

# Needed if ufw is installed and active
ufw disable

# Required
update-alternatives --set iptables /usr/sbin/iptables-legacy

# Required
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

# Optional
update-alternatives --set arptables /usr/sbin/arptables-legacy

# Optional
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

# Required
iptables --flush

# Needed if ufw is installed and was active
ufw enable


If your system did not initially need an adjustment for iptables at the time K3s was installed, but later does (for example because iptables is upgraded from a pre-1.8.0 version to version 1.8.0 or later), re-run this command in the lockss user's lockss-installer directory as a privileged user who can become root via sudo 3:






See Installing K3s.


See Running Commands as a Privileged User.