You are not logged in.

Pages: 1

#1 2017-03-20 09:35:07

predmijat
Member
Registered: 2014-09-30
Posts: 39

[SOLVED] iptables.rules doesn't load (or gets overwritten)

Hi,

I have /etc/iptables/iptables.rules with desired rules. iptables.service is enabled and runs at boot.

$ systemctl status iptables.service
● iptables.service - Packet Filtering Framework
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2017-03-20 10:22:23 CET; 5min ago
  Process: 1997 ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules (code=exited, status=0/SUCCESS)
 Main PID: 1997 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/iptables.service

However, rules are missing (mainly FORWARD chain has DROP, while /etc/iptables/iptables.rules specifies ACCEPT). If I run iptables-restore < /etc/iptables/iptables.rules, everything is ok. How do I debug this?

Thanks

Last edited by predmijat (2017-08-20 20:41:34)

Offline

#2 2017-03-23 13:03:51

parchd
Member
Registered: 2014-03-08
Posts: 421

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

What are the permissions of /etc/iptables and its contents?

Offline

#3 2017-03-28 10:10:29

predmijat
Member
Registered: 2014-09-30
Posts: 39

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

drwxr-xr-x   2 root root   4.0K Mar 26 20:47 iptables

for iptables directory and

-rw-r--r--   1 root root  868 Mar 26 20:43  iptables.rules

for iptables.rules file

Offline

#4 2017-03-28 10:25:40

parchd
Member
Registered: 2014-03-08
Posts: 421

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

Hmm - trying to help you with this I've discovered I also have an issue with iptables. For me the service fails to start on boot, but starts with no problem when I start it myself immediately after.
Could you try rebooting, and then posting the output of "journalctl -u iptables -b"?

Offline

#5 2017-03-28 10:28:25

predmijat
Member
Registered: 2014-09-30
Posts: 39

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

... systemd[1]: Starting Packet Filtering Framework...
... systemd[1]: Started Packet Filtering Framework.

service works for me - I have OPENVPN chain which gets loaded, it's just that FORWARD has DROP instead of what's in iptables.rules (ACCEPT). I don't know why that happens...

Offline

#6 2017-03-28 10:29:43

parchd
Member
Registered: 2014-03-08
Posts: 421

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

Could you post your whole iptables.rules?

Offline

#7 2017-03-28 10:30:14

parchd
Member
Registered: 2014-03-08
Posts: 421

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

Our problems must be unrelated and it is a coincidence I've noticed this now on my machine.

Offline

#8 2017-03-28 10:32:16

predmijat
Member
Registered: 2014-09-30
Posts: 39

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

parchd wrote:

Could you post your whole iptables.rules?

It has a bunch of ACCEPTs and a OPENVPN chain, nothing special

Offline

#9 2017-03-28 10:34:34

parchd
Member
Registered: 2014-03-08
Posts: 421

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

Maybe not, but if you want to find out what is happening it would help if you provided full information wink.

Offline

#10 2017-03-28 11:44:36

predmijat
Member
Registered: 2014-09-30
Posts: 39

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

# Generated by iptables-save v1.6.0 on Mon Mar 20 21:27:43 2017
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Mar 20 21:27:43 2017
# Generated by iptables-save v1.6.0 on Mon Mar 20 21:27:43 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Mar 20 21:27:43 2017
# Generated by iptables-save v1.6.0 on Mon Mar 20 21:27:43 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Mon Mar 20 21:27:43 2017

I thought that it had something to do with libvirtd (which does inject firewall rules of its own), but after disabling libvirtd.service, FORWARD still gets DROP after a reboot...

Offline

#11 2017-06-27 13:19:01

predmijat
Member
Registered: 2014-09-30
Posts: 39

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

Didn't reboot in a while, so I forgot about this smile

Update: it happens when I lose Internet connection too - after I get Internet, FORWARD in iptables has DROP policy. I fix it with "sudo iptables --policy FORWARD ACCEPT", but since connection is bad these days, I have to do it a lot smile

What controls this? I tried to do a "grep -i drop -r *" in /etc, but that didn't produce anything useful...

Offline

#12 2017-06-28 21:08:17

parchd
Member
Registered: 2014-03-08
Posts: 421

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

I'm glad you said something. I rebooted yesterday and forgot about it too!

Edit: this wasn't the thread I thought it was, but thanks for reminding me about something else.

Last edited by parchd (2017-06-30 19:56:27)

Offline

#13 2017-08-20 07:41:26

predmijat
Member
Registered: 2014-09-30
Posts: 39

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

This is still happening, and I'm not able to figure out what causes it. If someone could take a look at previous posts and throw in some suggestions, that'd be great smile

Offline

#14 2017-08-20 14:08:34

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,911

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

Both mangle and filter show a FORWARD ACCEPT , which one is set to DROP upon reboot ?

It might help to know which rules are set outside of iptables.service.
Temporarily disable  iptables.service , reboot and post iptables-save .

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Online

#15 2017-08-20 19:26:33

predmijat
Member
Registered: 2014-09-30
Posts: 39

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

FORWARD gets set to DROP.

systemctl disable iptables.service
reboot
iptables-save > ipt
cat ipt
----
# Generated by iptables-save v1.6.1 on Sun Aug 20 21:21:00 2017
*mangle
:PREROUTING ACCEPT [448378:261140467]
:INPUT ACCEPT [446606:260754475]
:FORWARD ACCEPT [2373:484822]
:OUTPUT ACCEPT [164798:451339612]
:POSTROUTING ACCEPT [165803:451654285]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Aug 20 21:21:00 2017
# Generated by iptables-save v1.6.1 on Sun Aug 20 21:21:00 2017
*nat
:PREROUTING ACCEPT [997:89727]
:INPUT ACCEPT [127:9418]
:OUTPUT ACCEPT [2640:174101]
:POSTROUTING ACCEPT [2659:174975]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.18.0.0/16 ! -o br-7d49e9dafa0b -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 5000 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 22 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.18.0.2/32 -d 172.18.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-7d49e9dafa0b -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 3734 -j DNAT --to-destination 172.17.0.2:5000
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8443 -j DNAT --to-destination 172.17.0.3:443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 8085 -j DNAT --to-destination 172.17.0.3:80
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 44822 -j DNAT --to-destination 172.17.0.3:22
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 47778 -j DNAT --to-destination 172.17.0.4:22
-A DOCKER ! -i br-7d49e9dafa0b -p tcp -m tcp --dport 6443 -j DNAT --to-destination 172.18.0.2:443
-A DOCKER ! -i br-7d49e9dafa0b -p tcp -m tcp --dport 6680 -j DNAT --to-destination 172.18.0.2:80
COMMIT
# Completed on Sun Aug 20 21:21:00 2017
# Generated by iptables-save v1.6.1 on Sun Aug 20 21:21:00 2017
*filter
:INPUT ACCEPT [446606:260754475]
:FORWARD DROP [1444:177521]   <---- have no idea why is this happening. Did a "grep DROP -r *" in /etc, nothing came up.
:OUTPUT ACCEPT [164798:451339612]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-7d49e9dafa0b -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-7d49e9dafa0b -j DOCKER
-A FORWARD -i br-7d49e9dafa0b ! -o br-7d49e9dafa0b -j ACCEPT
-A FORWARD -i br-7d49e9dafa0b -o br-7d49e9dafa0b -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 5000 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-7d49e9dafa0b -o br-7d49e9dafa0b -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.18.0.2/32 ! -i br-7d49e9dafa0b -o br-7d49e9dafa0b -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION -i br-7d49e9dafa0b -o docker0 -j DROP
-A DOCKER-ISOLATION -i docker0 -o br-7d49e9dafa0b -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Aug 20 21:21:00 2017

Offline

#16 2017-08-20 19:44:06

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

Looks like Docker is changing the iptables rules.

Especially relevant: Docker should not update FORWARD chain on startup.

Edit: See Docker startup option: --iptables=false.

Last edited by brebs (2017-08-20 19:46:09)

Offline

#17 2017-08-20 20:41:20

predmijat
Member
Registered: 2014-09-30
Posts: 39

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

Ah...nice catch. I think I don't want to prevent Docker from using iptables, I just needed it not to touch FORWARD policy. Found somewhere that they will add a startup option for setting the policy, but until then:

cat /etc/systemd/system/docker.service.d/override.conf

ExecStartPost=
ExecStartPost=/usr/bin/iptables --policy FORWARD ACCEPT

rebooted, looking good for now.

Thanks!

Offline

#18 2018-06-15 11:05:43

amosbird
Member
Registered: 2018-06-15
Posts: 1

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

predmijat wrote:

Ah...nice catch. I think I don't want to prevent Docker from using iptables, I just needed it not to touch FORWARD policy. Found somewhere that they will add a startup option for setting the policy, but until then:

cat /etc/systemd/system/docker.service.d/override.conf

ExecStartPost=
ExecStartPost=/usr/bin/iptables --policy FORWARD ACCEPT

rebooted, looking good for now.

Thanks!


Hmm, that doesn't work. Docker still overrides the FORWARD policy. 'systemctl status docker' shows that the override.conf is loaded successfully.

Offline

#19 2018-06-15 12:04:45

predmijat
Member
Registered: 2014-09-30
Posts: 39

Re: [SOLVED] iptables.rules doesn't load (or gets overwritten)

amosbird wrote:
predmijat wrote:

Ah...nice catch. I think I don't want to prevent Docker from using iptables, I just needed it not to touch FORWARD policy. Found somewhere that they will add a startup option for setting the policy, but until then:

cat /etc/systemd/system/docker.service.d/override.conf

ExecStartPost=
ExecStartPost=/usr/bin/iptables --policy FORWARD ACCEPT

rebooted, looking good for now.

Thanks!


Hmm, that doesn't work. Docker still overrides the FORWARD policy. 'systemctl status docker' shows that the override.conf is loaded successfully.

Are you sure that it's Docker that overrides it? After adding 

ExecStartPost=/usr/bin/iptables --policy FORWARD ACCEPT

in "/etc/systemd/system/docker.service.d/override.conf" I didn't have this problem.

Offline

Pages: 1

Board footer

Powered by FluxBB