Migrate firewall to use direct nftables rules (currently using iptable-legacy)

[JedMeister]

IPtables has been removed from Debian for some time now and it has been replaced by nftables. iptables-legacy is still provided (which translates legacy iptables conf/commands to nftables) so our legacy firewall config still "just works" because we use the alternatives system to point the iptables command to iptables-legacy. The rationale for not migrating sooner was that Webmin has only provided support for iptables until relatively recently - it now supports nftables via a new webmin-nftables module.

So we should migrate our config to the new standard as I imagine that at some point iptables-legacy will disappear. And even before then it seems likely that new TurnKey users used to modern Linux are using nftables and may not expect our legacy config - potentially causing confusion.

OTTOMH the config that will need to change is:

• Replace webmin-iptables package with webmin-nftables (common plan)
• Update Webmin firewall conf (common webmin conf script)
• Update the TKL init-fence to use nftables when setting redirect rules
• Update fail2ban config (in common and perhaps in some specific appliance build code too?)
• VPN appliance firewall config - OpenVPN/Wireguard (not sure whether in common or specific appliance build code)
• Perhaps other bits elsewhere?

I have pinned this to the 19.1 milestone for now, but assuming that the current functionality remains relevant and functional for the lifetime of 19.x (can't imagine why it won't), it may get pushed back to 20.0.