I maintain an application on Alpine, and I have become a little confused
about the distribution's preferred firewall stack. Until now, I have
used awall. Recently, I found that my approach had to change slightly,
because Alpine 3.23 does not by default provide the ip_tables module:
# modprobe ip_tables
modprobe: FATAL: Module ip_tables not found in directory /lib/modules/6.18.2-0-virt
Awall still seems to work due to the presence of x_tables, but this led
me to do some research that left me uncertain. Here are the questions I
am left with after reading several pieces of documentation:
It seems x_tables is old (e.g., https://lwn.net/Articles/155118/). Did
something change recently in Alpine to remove ip_tables (the kernel
module)?
Is it true that awall is tied to iptables (the utility)?
Does this mean that awall does not make use of nftables (the kernel
module)?
Which is preferred, awall or nftables?
Alpine's documentation still instructs to modprobe ip_tables
(https://wiki.alpinelinux.org/wiki/How-To_Alpine_Wall). Is this
now incorrect?
I am presently building Alpine installs using
https://dl-cdn.alpinelinux.org/alpine/v3.23/releases/x86_64/alpine-virt-3.23.0-x86_64.iso.
--
Mike
:wq
W. Michael Petullo wrote on Fri, Jan 02, 2026 at 07:32:30PM -0600:
> I maintain an application on Alpine, and I have become a little confused> about the distribution's preferred firewall stack. Until now, I have> used awall. Recently, I found that my approach had to change slightly,> because Alpine 3.23 does not by default provide the ip_tables module:
FWIW alpine 3.19 changed the default iptables package from
iptables-legacy to iptables-nft, so iptables commands (and thus as far
as I understand awall as well, although I didn't check) should not use
the ip_tables module, but nftables
If you still pull in iptables-legacy try using iptables-nft from the
iptables package
--
Dominique Martinet | Asmadeus
In my view, due to Maya (Illusion, better known as AI), it is impossible to classify bad packets from good ones. Text Maya is already solved and Alpine should add good packages for Maya, like torch7 and cutorch.
LLMs program so well that programming LLMs like Qwen, specialized for a certain language are very important.
We at Whitelist Tech, therefore say, whitelisting is the future, i.e. , whitelist certain IPs, using nftables.
On 3 जनवरी 2026 7:02:30 am IST, "W. Michael Petullo" <mike@flyn.org> wrote:
>I maintain an application on Alpine, and I have become a little confused>about the distribution's preferred firewall stack. Until now, I have>used awall. Recently, I found that my approach had to change slightly,>because Alpine 3.23 does not by default provide the ip_tables module:>># modprobe ip_tables>modprobe: FATAL: Module ip_tables not found in directory /lib/modules/6.18.2-0-virt>>Awall still seems to work due to the presence of x_tables, but this led>me to do some research that left me uncertain. Here are the questions I>am left with after reading several pieces of documentation:>>It seems x_tables is old (e.g., https://lwn.net/Articles/155118/). Did>something change recently in Alpine to remove ip_tables (the kernel>module)?>>Is it true that awall is tied to iptables (the utility)?>>Does this mean that awall does not make use of nftables (the kernel>module)?>>Which is preferred, awall or nftables?>>Alpine's documentation still instructs to modprobe ip_tables>(https://wiki.alpinelinux.org/wiki/How-To_Alpine_Wall). Is this>now incorrect?>>I am presently building Alpine installs using>https://dl-cdn.alpinelinux.org/alpine/v3.23/releases/x86_64/alpine-virt-3.23.0-x86_64.iso.>
===============
Thanking you
Sagar Acharya
https://whitelist.co.in
On Fri, 2 Jan 2026, W. Michael Petullo wrote:
> It seems x_tables is old (e.g., https://lwn.net/Articles/155118/). Did > something change recently in Alpine to remove ip_tables (the kernel > module)?
Recent kernels do not enable the ip_tables module by default, and it is
not enabled in all Alpine kernels (e.g. x86_64).
> Is it true that awall is tied to iptables (the utility)?> > Does this mean that awall does not make use of nftables (the kernel > module)?
awall requires iptables but works with both backends (nftables and
legacy). It does not interact with nftables directly.
> Which is preferred, awall or nftables?
You may use whichever you want. An increasing number of packages ship with
nftables rule files.
> Alpine's documentation still instructs to modprobe ip_tables > (https://wiki.alpinelinux.org/wiki/How-To_Alpine_Wall). Is this now > incorrect?
Yes, the page should be updated. Regardless of the iptables backend, there
is no need to run 'modprobe'. You can use these commands instead for the
initial setup:
awall translate # update /etc/iptables
service iptables start # load modules and rules for IPv4
service ip6tables start # load modules and rules for IPv6
There is also an easier method: 'awall activate' has special handling for
the first run (when firewall is not yet enabled in the kernel). It
performs the above steps and also updates the default runlevel and files
in /etc/conf.d.
BR,
Kaarle