You are not logged in.

#1 2012-10-11 20:47:38

wwgfd
Member
From: UK
Registered: 2012-10-11
Posts: 32

[Solved] systemd boot up: iptables fails but shorewall loads?

I've just got Arch installed and running a few days ago and I'm in the process of moving the system to pure systemd setup.
I installed iptables and shoreline firewall (shorewall) but I don't know if I need to have both process loading in my daemon boot scripts or not?
Currently I do but my boot list shows that iptables and ip6tables fail to load, whilst shorewall/shorewall6 load but their sub-state is exited.

I configured shorewall according to the wiki guide, which basically involves copying the files in '/usr/share/docs/shorewall/Samples/Universal' in to '/etc/shorewall' (like wise for '.../shorewall6').
AFAIK this is all that is required for a basic, single computer, non-router setup.

But I'm left wondering if this means that I have got an active firewall or not? (since shorewall is enabled but iptables failed)
- if not what do I need to do to get the iptables firewall working
- or - if so how secure are the default basic firewall rules provided by shorewall's 'universal' sample and/or how I can test/improve them.

Thanks

Last edited by wwgfd (2012-11-26 18:17:13)


What would Gordon Freeman do?

Offline

#2 2012-10-12 02:51:05

smudge
Member
Registered: 2011-03-20
Posts: 158

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

I don't know if I need to have both process loading in my daemon boot scripts or not?

You probably do. In systemd speak you'll need to enable iptables and shorewall services.

But I'm left wondering if this means that I have got an active firewall or not?

Have a look at the output of (as root/sudo):

iptables --list

it should give you a list of rules shorewall has loaded into iptables. If the list is empty you've got more research to do smile

Offline

#3 2012-11-26 18:14:11

wwgfd
Member
From: UK
Registered: 2012-10-11
Posts: 32

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

@smudge -- That's great thanks (sorry for such a late reply)

Anyway I did get a list of rules for Shorewall so it appears that everything was working just fine!
I'm guessing that maybe iptables was being reported as 'exited' because it was no longer needed once Shorewall had used it to create it's set of rules?!

Thanks very much for your help!


What would Gordon Freeman do?

Offline

#4 2012-12-09 01:47:31

Thisguy_
Member
Registered: 2012-12-03
Posts: 41

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

I was under the impression Shorewall was just a graphical frontend to iptables, and that iptables and the package it contains did all the work as far as firewalling went.

Offline

#5 2012-12-09 06:47:15

Xyne
Administrator/PM
Registered: 2008-08-03
Posts: 6,963
Website

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

I think there may be some confusion about what the iptables service does. It just loads the iptables rules stored in /etc/iptables/iptables.rules. The tables themselves are always active, but they are empty and set to ACCEPT everything when the system starts. Even if the iptables service is not run, you can still configure firewall settings.

If you have not created default rules with iptables-save, then you can disable the service. If Shorewall takes care of all expected firewall settings then I think you can disable the iptables service, but I have never used Shorewall so I do not know exactly what it does.

Whatever you decide to do, I think you should still try to determine why the service currently fails. Do you still have the systemd-sysvcompat package installed with iptables listed in /etc/rc.conf? When I converted, I forgot about that myself and noticed that iptables "failed" at startup. In fact it was being started twice and failing due to existing rules from the first instance.


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#6 2012-12-09 16:28:08

AndrzejL
Member
Registered: 2012-12-07
Posts: 160

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

Hi guys sorry for replying in thread marked as solved but I was trying to setup my shorewall today and sorta failed. Don't get me wrong I am not asking for help I am actually trying to share what I have learned during that time.

First of all Thisguy_ - shorewall is not a gui for iptables. It's a firewall which manages rules of iptables which is another firewall.

When using shorewall you do not want iptables to start at boot time - it's like running 2 firewalls at once which is asking for trouble.

So...

su

root's password

systemctl disable iptables.service
systemctl enable shorewall.service
systemctl start shorewall.service

is what You need. If that last one gives errors - You need to run

systemctl status shorewall.service

to figure out what's wrong...

In my case I had this error:

Dec 09 15:13:18 wishmacer.loc shorewall[6002]: ERROR: Invalid Interface option (detect) /etc/shorewall/interfaces (line 13)

due to id10T error that occurred between chair and keyboard. I used this in my

/etc/shorewall/interfaces

file:

net   eth0    detect

while the entry should look like this:

net    eth0    -       

or at least that's what I found here:

http://shorewall.net/manpages/shorewall-interfaces.html

FORMAT 2

    The BROADCAST column is omitted.

[...]

Example:

    #ZONE   INTERFACE       BROADCAST
    loc     eth1            -
    loc     eth2            -

After fixing that - the firewall has started and it looked like this:

http://pastebin.com/4p8VPeA8

I am hoping that I did everything correctly but like I said - I know close to nothing about setting up firewalls...

Regards.

Andrzej


The worst thing about censorship is ██████ ██ ████ ████████████ and ██████ ███████ ███ ███████████.

Offline

#7 2012-12-09 16:43:33

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

@AndrzejL, you are not quite correct in your view of iptables vs shorewall.  Shorewall in merely a frontend to iptables.  So they are essentially the same thing.  If you run both, you will not get two firewalls, but you will likely end up with a vastly larger number if iptables rules, most of which are repeating functionality of the ones before it and probably breaking functionality along the way.

The purpose of things like shorewall is so that people like yourself can set up a firewall and actually possibly configre it to accept traffic for certain services.  Without some familiarity to iptables, even allowing traffic through for a torrent client might be kind of tricky.

A quick scan over your process there seems pretty okay to me.  Though I can't say that I read it in depth.  If you really want to make sure that iptables is not runnig when you start shorewall in the beginning, you not only have to disable it but yu also have to stop it (or I guess you could use 'is-active').

Offline

#8 2012-12-09 16:56:32

AndrzejL
Member
Registered: 2012-12-07
Posts: 160

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

WonderWoofy wrote:

@AndrzejL, you are not quite correct in your view of iptables vs shorewall.  Shorewall in merely a frontend to iptables.  So they are essentially the same thing.  If you run both, you will not get two firewalls, but you will likely end up with a vastly larger number if iptables rules, most of which are repeating functionality of the ones before it and probably breaking functionality along the way.

The purpose of things like shorewall is so that people like yourself can set up a firewall and actually possibly configre it to accept traffic for certain services.  Without some familiarity to iptables, even allowing traffic through for a torrent client might be kind of tricky.

A quick scan over your process there seems pretty okay to me.  Though I can't say that I read it in depth.  If you really want to make sure that iptables is not runnig when you start shorewall in the beginning, you not only have to disable it but yu also have to stop it (or I guess you could use 'is-active').

WonderWoofy I understood it the same way You described it but obviously miss-wrote when I was trying to explain it in my own words. Thank You for clarifying it.

I think I got it working correctly. ICMPs are being blocked, all ports but one are opened and nmap won't even scan the host unless some switches are provided. Sounds like a solid firewall to me.

Thanks again.

Regards.

Andrzej

Last edited by AndrzejL (2012-12-09 17:02:03)


The worst thing about censorship is ██████ ██ ████ ████████████ and ██████ ███████ ███ ███████████.

Offline

#9 2012-12-10 00:01:02

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

Why would you want all ports but one open? (Curious: which one is *not* open?)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#10 2012-12-10 01:33:14

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

I don't know about ArdrzejL, but I keep a port open for my torrent client.

Offline

#11 2012-12-10 01:59:39

AndrzejL
Member
Registered: 2012-12-07
Posts: 160

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

cfr wrote:

Why would you want all ports but one open? (Curious: which one is *not* open?)

I keep all ports closed but one as I am only using one port for ssh purposes.

Regards.

Andrzej


The worst thing about censorship is ██████ ██ ████ ████████████ and ██████ ███████ ███ ███████████.

Offline

#12 2012-12-10 02:07:27

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

OK. That makes a lot more sense!

I do that on my work machine (ssh is open). I just couldn't see much call for a firewall with only one port closed...

Last edited by cfr (2012-12-10 02:08:30)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#13 2012-12-10 16:18:17

wwgfd
Member
From: UK
Registered: 2012-10-11
Posts: 32

Re: [Solved] systemd boot up: iptables fails but shorewall loads?

LOL -- It's typical isn't it, since my OP I have built a new machine and re-installed Arch only to run in to the same problem again.

In fact it was a bit worse this time as I'd actually forgotten to install or configure any kind of firewall until I was checking my profile on the forum here and noticed new responses on this thread. So thanks for the memory jog folks.

Also big thanks @AndrzejL and @WonderWoofy for the very helpful info, got me sorted again in no time big_smile

FYI: I also found the Universal Configuration Guide in the Beginner's section of the Documentation on Shorewall's Homepage ultimately very useful too. Of course if the 'Universal' (i.e. a single machine with single network connection) config's not what you need then there are others.

The most important information for me was where the 'sample' files for Shoreline Firewall are located once it's installed as these contain all the config's you need to get a decent 'general purpose' firewall up and running. So to mimic the example in their guide, but with more of an Arch flavour...

$ pacman -Ql shorewall | grep Universal
shorewall /usr/share/doc/shorewall/Samples/Universal/
shorewall /usr/share/doc/shorewall/Samples/Universal/interfaces
shorewall /usr/share/doc/shorewall/Samples/Universal/interfaces.annotated
shorewall /usr/share/doc/shorewall/Samples/Universal/policy
shorewall /usr/share/doc/shorewall/Samples/Universal/policy.annotated
shorewall /usr/share/doc/shorewall/Samples/Universal/rules
shorewall /usr/share/doc/shorewall/Samples/Universal/rules.annotated
shorewall /usr/share/doc/shorewall/Samples/Universal/shorewall.conf
shorewall /usr/share/doc/shorewall/Samples/Universal/shorewall.conf.annotated
shorewall /usr/share/doc/shorewall/Samples/Universal/zones
shorewall /usr/share/doc/shorewall/Samples/Universal/zones.annotated

...don't forget to repeat this for "shorewall6" too if your using/require IPv6 support wink

Thanks to all


What would Gordon Freeman do?

Offline

Board footer

Powered by FluxBB