You are not logged in.

#1 2020-01-03 15:59:10

freshscaped
Member
From: West Yorkshire
Registered: 2015-08-29
Posts: 62

SOLVED iptables exits immediately upon load after new installation

Hi Folks,

Running Arch on server in a datacentre, reinstalled after problems too interwoven to unravel. Followed the Simple stateful firewall copied, pasted and saved the two instances as /etc/iptables/iptables.rules and ip6tables.rules, ip4 with the added port 22 line and ip6 with the added ipv6-icmp line thus:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp --dport 22 -j ACCEPT
COMMIT

and

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
COMMIT

Ran systemctl enable iptables.service, systemctl enable ip6tables.service, systemctl start iptables.service, systemctl start ip6tables.service one after the other.

Immediately ran status on each, one at a time of course. Outcome surprising, exits instead of running. Searches don't reveal anything similar since 2013:

~]# systemctl status ip6tables
* ip6tables.service - IPv6 Packet Filtering Framework
     Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor>
     Active: active (exited) since Fri 2020-01-03 16:10:44 CET; 6min ago
    Process: 359 ExecStart=/usr/bin/ip6tables-restore /etc/iptables/ip6tables.r>
   Main PID: 359 (code=exited, status=0/SUCCESS)

Jan 03 16:10:44 sd-136208 systemd[1]: Starting IPv6 Packet Filtering Framework.>
Jan 03 16:10:44 sd-136208 systemd[1]: Started IPv6 Packet Filtering Framework.

and

~]# systemctl status iptables
* iptables.service - IPv4 Packet Filtering Framework
     Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor >
     Active: active (exited) since Fri 2020-01-03 16:10:44 CET; 7min ago
    Process: 353 ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rul>
   Main PID: 353 (code=exited, status=0/SUCCESS)

Jan 03 16:10:43 sd-136208 systemd[1]: Starting IPv4 Packet Filtering Framework.>
Jan 03 16:10:44 sd-136208 systemd[1]: Started IPv4 Packet Filtering Framework.

What might cause this and how may I cure it?

TIA,

Mike

Last edited by freshscaped (2020-01-03 18:11:19)

Offline

#2 2020-01-03 17:05:16

nixpunk
Member
Registered: 2009-11-23
Posts: 271

Re: SOLVED iptables exits immediately upon load after new installation

I believe that's a 'oneshot' type service, so it's supposed to exit after executing once, hence the name. Check the output of 'iptables -nvL'.

Offline

#3 2020-01-03 17:19:08

freshscaped
Member
From: West Yorkshire
Registered: 2015-08-29
Posts: 62

Re: SOLVED iptables exits immediately upon load after new installation

Posting it here before examining 'cos can't see it properly in my terminal!

~]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2514  326K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  420 16917 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    9   322 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 ctstate NEW
21560 1113K UDP        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
 1401 62432 TCP        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 ctstate NEW
21560 1113K REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
 1110 47868 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-proto-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4995 packets, 559K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain TCP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  291 14564 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain UDP (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Offline

#4 2020-01-03 17:19:49

freshscaped
Member
From: West Yorkshire
Registered: 2015-08-29
Posts: 62

Re: SOLVED iptables exits immediately upon load after new installation

Thanks nixpunk, output above. It doesn't say anything indicative to me. Does it to you?

Last edited by freshscaped (2020-01-03 17:22:31)

Offline

#5 2020-01-03 17:38:33

loqs
Member
Registered: 2014-03-06
Posts: 11,184

Re: SOLVED iptables exits immediately upon load after new installation

iptables-restore loads the tables into the kernel.  Its role finished it exits.
The operation of the firewall itself is performed by the kernel and not related to iptables-restore / iptables.service.

Offline

#6 2020-01-03 17:43:39

freshscaped
Member
From: West Yorkshire
Registered: 2015-08-29
Posts: 62

Re: SOLVED iptables exits immediately upon load after new installation

Hi loqs, is that telling me that the firewall is running or that I should run systemctl restore iptables and systemctl restore ip6tables? The two commands run so far are enable and start, not restore.

Thanks,

M

Last edited by freshscaped (2020-01-03 17:44:05)

Offline

#7 2020-01-03 17:47:54

loqs
Member
Registered: 2014-03-06
Posts: 11,184

Re: SOLVED iptables exits immediately upon load after new installation

From the outputs you posted

    Process: 353 ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rul>
    Process: 359 ExecStart=/usr/bin/ip6tables-restore /etc/iptables/ip6tables.r>

Offline

#8 2020-01-03 18:06:49

freshscaped
Member
From: West Yorkshire
Registered: 2015-08-29
Posts: 62

Re: SOLVED iptables exits immediately upon load after new installation

OK. Thanks. I missed that. Besides which, over the past three weeks or so trying to get all this set up and sorted out I've read so much about firewalls, iptables, enabling ipv6 and trying to decide which systems to use I've got myself completely and utterly confused. So now the firewall is running I have more work to do to get ipv6 running, because it isn't just now. I had sort of hoped that was the problem.

Well I'll mark this as solved and continue along the ipv6 course of enquiry.

Offline

Board footer

Powered by FluxBB