You are not logged in.
- Topics: Active | Unanswered
#1 2017-03-20 09:35:07
- predmijat
- Member
- Registered: 2014-09-30
- Posts: 39
[SOLVED] iptables.rules doesn't load (or gets overwritten)
Hi,
I have /etc/iptables/iptables.rules with desired rules. iptables.service is enabled and runs at boot.
$ systemctl status iptables.service
● iptables.service - Packet Filtering Framework
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Mon 2017-03-20 10:22:23 CET; 5min ago
Process: 1997 ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules (code=exited, status=0/SUCCESS)
Main PID: 1997 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
Memory: 0B
CPU: 0
CGroup: /system.slice/iptables.serviceHowever, rules are missing (mainly FORWARD chain has DROP, while /etc/iptables/iptables.rules specifies ACCEPT). If I run iptables-restore < /etc/iptables/iptables.rules, everything is ok. How do I debug this?
Thanks
Last edited by predmijat (2017-08-20 20:41:34)
Offline
#2 2017-03-23 13:03:51
- parchd
- Member
- Registered: 2014-03-08
- Posts: 421
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
What are the permissions of /etc/iptables and its contents?
Offline
#3 2017-03-28 10:10:29
- predmijat
- Member
- Registered: 2014-09-30
- Posts: 39
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
drwxr-xr-x 2 root root 4.0K Mar 26 20:47 iptablesfor iptables directory and
-rw-r--r-- 1 root root 868 Mar 26 20:43 iptables.rulesfor iptables.rules file
Offline
#4 2017-03-28 10:25:40
- parchd
- Member
- Registered: 2014-03-08
- Posts: 421
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
Hmm - trying to help you with this I've discovered I also have an issue with iptables. For me the service fails to start on boot, but starts with no problem when I start it myself immediately after.
Could you try rebooting, and then posting the output of "journalctl -u iptables -b"?
Offline
#5 2017-03-28 10:28:25
- predmijat
- Member
- Registered: 2014-09-30
- Posts: 39
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
... systemd[1]: Starting Packet Filtering Framework...
... systemd[1]: Started Packet Filtering Framework.service works for me - I have OPENVPN chain which gets loaded, it's just that FORWARD has DROP instead of what's in iptables.rules (ACCEPT). I don't know why that happens...
Offline
#6 2017-03-28 10:29:43
- parchd
- Member
- Registered: 2014-03-08
- Posts: 421
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
Could you post your whole iptables.rules?
Offline
#7 2017-03-28 10:30:14
- parchd
- Member
- Registered: 2014-03-08
- Posts: 421
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
Our problems must be unrelated and it is a coincidence I've noticed this now on my machine.
Offline
#8 2017-03-28 10:32:16
- predmijat
- Member
- Registered: 2014-09-30
- Posts: 39
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
Could you post your whole iptables.rules?
It has a bunch of ACCEPTs and a OPENVPN chain, nothing special
Offline
#9 2017-03-28 10:34:34
- parchd
- Member
- Registered: 2014-03-08
- Posts: 421
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
Maybe not, but if you want to find out what is happening it would help if you provided full information 
.
Offline
#10 2017-03-28 11:44:36
- predmijat
- Member
- Registered: 2014-09-30
- Posts: 39
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
# Generated by iptables-save v1.6.0 on Mon Mar 20 21:27:43 2017
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Mar 20 21:27:43 2017
# Generated by iptables-save v1.6.0 on Mon Mar 20 21:27:43 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Mar 20 21:27:43 2017
# Generated by iptables-save v1.6.0 on Mon Mar 20 21:27:43 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Mar 20 21:27:43 2017I thought that it had something to do with libvirtd (which does inject firewall rules of its own), but after disabling libvirtd.service, FORWARD still gets DROP after a reboot...
Offline
#11 2017-06-27 13:19:01
- predmijat
- Member
- Registered: 2014-09-30
- Posts: 39
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
Didn't reboot in a while, so I forgot about this 
Update: it happens when I lose Internet connection too - after I get Internet, FORWARD in iptables has DROP policy. I fix it with "sudo iptables --policy FORWARD ACCEPT", but since connection is bad these days, I have to do it a lot
What controls this? I tried to do a "grep -i drop -r *" in /etc, but that didn't produce anything useful...
Offline
#12 2017-06-28 21:08:17
- parchd
- Member
- Registered: 2014-03-08
- Posts: 421
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
I'm glad you said something. I rebooted yesterday and forgot about it too!
Edit: this wasn't the thread I thought it was, but thanks for reminding me about something else.
Last edited by parchd (2017-06-30 19:56:27)
Offline
#13 2017-08-20 07:41:26
- predmijat
- Member
- Registered: 2014-09-30
- Posts: 39
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
This is still happening, and I'm not able to figure out what causes it. If someone could take a look at previous posts and throw in some suggestions, that'd be great
Offline
#14 2017-08-20 14:08:34
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 13,347
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
Both mangle and filter show a FORWARD ACCEPT , which one is set to DROP upon reboot ?
It might help to know which rules are set outside of iptables.service.
Temporarily disable iptables.service , reboot and post iptables-save .
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Online
#15 2017-08-20 19:26:33
- predmijat
- Member
- Registered: 2014-09-30
- Posts: 39
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
FORWARD gets set to DROP.
systemctl disable iptables.service
reboot
iptables-save > ipt
cat ipt
----
# Generated by iptables-save v1.6.1 on Sun Aug 20 21:21:00 2017
*mangle
:PREROUTING ACCEPT [448378:261140467]
:INPUT ACCEPT [446606:260754475]
:FORWARD ACCEPT [2373:484822]
:OUTPUT ACCEPT [164798:451339612]
:POSTROUTING ACCEPT [165803:451654285]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Aug 20 21:21:00 2017
# Generated by iptables-save v1.6.1 on Sun Aug 20 21:21:00 2017
*nat
:PREROUTING ACCEPT [997:89727]
:INPUT ACCEPT [127:9418]
:OUTPUT ACCEPT [2640:174101]
:POSTROUTING ACCEPT [2659:174975]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-7d49e9dafa0b -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-7d49e9dafa0b -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 3734 -j DNAT --to-destination 172.17.0.2:5000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 172.17.0.3:443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8085 -j DNAT --to-destination 172.17.0.3:80
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 44822 -j DNAT --to-destination 172.17.0.3:22
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 47778 -j DNAT --to-destination 172.17.0.4:22
-A DOCKER ! -i br-7d49e9dafa0b -p tcp -m tcp --dport 6443 -j DNAT --to-destination 172.18.0.2:443
-A DOCKER ! -i br-7d49e9dafa0b -p tcp -m tcp --dport 6680 -j DNAT --to-destination 172.18.0.2:80
COMMIT
# Completed on Sun Aug 20 21:21:00 2017
# Generated by iptables-save v1.6.1 on Sun Aug 20 21:21:00 2017
*filter
:INPUT ACCEPT [446606:260754475]
:FORWARD DROP [1444:177521] <---- have no idea why is this happening. Did a "grep DROP -r *" in /etc, nothing came up.
:OUTPUT ACCEPT [164798:451339612]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-7d49e9dafa0b -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-7d49e9dafa0b -j DOCKER
-A FORWARD -i br-7d49e9dafa0b ! -o br-7d49e9dafa0b -j ACCEPT
-A FORWARD -i br-7d49e9dafa0b -o br-7d49e9dafa0b -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-7d49e9dafa0b -o br-7d49e9dafa0b -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-7d49e9dafa0b -o br-7d49e9dafa0b -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION -i br-7d49e9dafa0b -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-7d49e9dafa0b -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Aug 20 21:21:00 2017Offline
#16 2017-08-20 19:44:06
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
Looks like Docker is changing the iptables rules.
Especially relevant: Docker should not update FORWARD chain on startup.
Edit: See Docker startup option: --iptables=false.
Last edited by brebs (2017-08-20 19:46:09)
Offline
#17 2017-08-20 20:41:20
- predmijat
- Member
- Registered: 2014-09-30
- Posts: 39
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
Ah...nice catch. I think I don't want to prevent Docker from using iptables, I just needed it not to touch FORWARD policy. Found somewhere that they will add a startup option for setting the policy, but until then:
cat /etc/systemd/system/docker.service.d/override.conf
ExecStartPost=
ExecStartPost=/usr/bin/iptables --policy FORWARD ACCEPTrebooted, looking good for now.
Thanks!
Offline
#18 2018-06-15 11:05:43
- amosbird
- Member
- Registered: 2018-06-15
- Posts: 1
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
Ah...nice catch. I think I don't want to prevent Docker from using iptables, I just needed it not to touch FORWARD policy. Found somewhere that they will add a startup option for setting the policy, but until then:
cat /etc/systemd/system/docker.service.d/override.conf ExecStartPost= ExecStartPost=/usr/bin/iptables --policy FORWARD ACCEPTrebooted, looking good for now.
Thanks!
Hmm, that doesn't work. Docker still overrides the FORWARD policy. 'systemctl status docker' shows that the override.conf is loaded successfully.
Offline
#19 2018-06-15 12:04:45
- predmijat
- Member
- Registered: 2014-09-30
- Posts: 39
Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)
predmijat wrote:Ah...nice catch. I think I don't want to prevent Docker from using iptables, I just needed it not to touch FORWARD policy. Found somewhere that they will add a startup option for setting the policy, but until then:
cat /etc/systemd/system/docker.service.d/override.conf ExecStartPost= ExecStartPost=/usr/bin/iptables --policy FORWARD ACCEPTrebooted, looking good for now.
Thanks!
Hmm, that doesn't work. Docker still overrides the FORWARD policy. 'systemctl status docker' shows that the override.conf is loaded successfully.
Are you sure that it's Docker that overrides it? After adding
ExecStartPost=/usr/bin/iptables --policy FORWARD ACCEPTin "/etc/systemd/system/docker.service.d/override.conf" I didn't have this problem.
Offline