ESET Online Help

Search English
Select the topic

Web access protection and iptables

Issue

Web access protection uses nftables to redirect outgoing connections to our scanner, where we scan HTTP traffic.

Some customers observed an issue when WAP interferes with their iptables NAT rules on distributions with kernel earlier than 4.18, for example, CentOS 7. This issue occurs due to a bug in older Linux kernels that do not support concurrent NAT rules in both iptables and nftables. See the NAT incompabilities.


note

Centos 7 will reach End of Life in June 2024.


important

Installing ESET Server Security for Linux on outdated RHEL/CentOS 7 minor releases might lead to complete loss of network connectivity , requiring a computer restart or manual removal of nftables rules.

Workaround 1

Use Linux distribution with kernel 4.18 and later, for example, Rocky Linux 8.

Workaround 2

Transform iptables rules to nftables. See the moving from iptables to nftables article. To ensure that your NAT output chain is applied first for outgoing connections, it is recommended to use a priority number lower than or equal to "-102", as the WAP output NAT chain has a priority of "-101".

 

If none of the workaround is possible, you have to disable web access protection to let iptables NAT working (not recommended).