You are not logged in.

Pages: 1

#1 2017-03-17 00:00:40

ThecaTTony
Member
From: Argentina
Registered: 2012-04-10
Posts: 10
Website

[SOLVED] Failed to start Packet Filtering Framework/sshguard conflict

Iptables service is randomly failing at boot. This behavior is the same on four system's, two at home and two at work. The #26 refered line or the #8 line is always the COMMIT one's:

Rules:

[user@al01 ~]$ cat /etc/iptables/iptables.rules
# Generated by iptables-save v1.6.0 on Thu Mar 16 19:48:46 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
:sshguard - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 54322 -j sshguard
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -s 192.168.20.103/32 -d 224.0.0.0/8 -j ACCEPT
-A INPUT -s 192.168.20.103/32 -p vrrp -j ACCEPT
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 54322 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 19999 -j ACCEPT
-A TCP -s 192.168.20.103/32 -p tcp -m tcp --dport 2049 -j ACCEPT
COMMIT
# Completed on Thu Mar 16 19:48:46 2017

Empty /etc/iptables/ip6tables.rules.

Test:

[user@al01 ~]$ sudo reboot
login as: user
user@al01.xxxx.com.ar's password:
Last login: Thu Mar 16 19:51:15 2017 from 192.168.20.2
[user@al01 ~]$ sudo systemctl status iptables
[sudo] password for user:
● iptables.service - Packet Filtering Framework
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2017-03-16 19:54:45 -03; 21s ago
  Process: 248 ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules (code=exited, status=1/FAILURE)
 Main PID: 248 (code=exited, status=1/FAILURE)

mar 16 19:54:45 al01.xxxx.com.ar systemd[1]: Starting Packet Filtering Framework...
mar 16 19:54:45 al01.xxxx.com.ar iptables-restore[248]: iptables-restore: line 26 failed
mar 16 19:54:45 al01.xxxx.com.ar systemd[1]: iptables.service: Main process exited, code=exited, status=1/FAILURE
mar 16 19:54:45 al01.xxxx.com.ar systemd[1]: Failed to start Packet Filtering Framework.
mar 16 19:54:45 al01.xxxx.com.ar systemd[1]: iptables.service: Unit entered failed state.
mar 16 19:54:45 al01.xxxx.com.ar systemd[1]: iptables.service: Failed with result 'exit-code'.
[user@al01 ~]$ sudo nano /etc/iptables/iptables.rules
[user@al01 ~]$ sudo systemctl restart iptables
[user@al01 ~]$ sudo systemctl status iptables
● iptables.service - Packet Filtering Framework
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Thu 2017-03-16 19:58:17 -03; 2s ago
  Process: 1081 ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules (code=exited, status=0/SUCCESS)
 Main PID: 1081 (code=exited, status=0/SUCCESS)

mar 16 19:58:17 al01.xxxx.com.ar systemd[1]: Starting Packet Filtering Framework...
mar 16 19:58:17 al01.xxxx.com.ar systemd[1]: Started Packet Filtering Framework.

Service file:

[user@al01 ~]$ sudo systemctl cat iptables.service
[sudo] password for user:
# /usr/lib/systemd/system/iptables.service
[Unit]
Description=Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target

[Service]
Type=oneshot
ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/usr/lib/systemd/scripts/iptables-flush
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

--------

Another system:

Rules:

[user@al02 ~]$ cat /etc/iptables/iptables.rules
# Generated by iptables-save v1.6.0 on Thu Mar 16 19:04:22 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
:sshguard - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 54322 -j sshguard
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -s 192.168.20.102/32 -d 224.0.0.0/8 -j ACCEPT
-A INPUT -s 192.168.20.102/32 -p vrrp -j ACCEPT
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 54322 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -p tcp -m tcp --dport 19999 -j ACCEPT
-A TCP -s 192.168.20.102/32 -p tcp -m tcp --dport 2049 -j ACCEPT
COMMIT
# Completed on Thu Mar 16 19:04:22 2017

Empty /etc/iptables/ip6tables.rules.

Test:

[user@al02 ~]$ sudo reboot
[sudo] password for user:
login as: user
user@al02.yyyy.com.ar's password:
Last login: Thu Mar 16 20:22:01 2017 from 192.168.20.2
[user@al02 ~]$ sudo systemctl status iptables
[sudo] password for user:
● iptables.service - Packet Filtering Framework
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2017-03-16 20:22:22 -03; 57s ago
  Process: 249 ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules (code=exited, status=1/FAILURE)
 Main PID: 249 (code=exited, status=1/FAILURE)

mar 16 20:22:21 al02.yyyy.com.ar systemd[1]: Starting Packet Filtering Framework...
mar 16 20:22:22 al02.yyyy.com.ar iptables-restore[249]: iptables-restore: line 26 failed
mar 16 20:22:22 al02.yyyy.com.ar systemd[1]: iptables.service: Main process exited, code=exited, status=1/FAILURE
mar 16 20:22:22 al02.yyyy.com.ar systemd[1]: Failed to start Packet Filtering Framework.
mar 16 20:22:22 al02.yyyy.com.ar systemd[1]: iptables.service: Unit entered failed state.
mar 16 20:22:22 al02.yyyy.com.ar systemd[1]: iptables.service: Failed with result 'exit-code'.
[user@al02 ~]$ sudo systemctl restart iptables
[user@al02 ~]$ sudo systemctl status iptables
● iptables.service - Packet Filtering Framework
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Thu 2017-03-16 20:25:40 -03; 2s ago
  Process: 1040 ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules (code=exited, status=0/SUCCESS)
 Main PID: 1040 (code=exited, status=0/SUCCESS)

mar 16 20:25:40 al02.yyyy.com.ar systemd[1]: Starting Packet Filtering Framework...
mar 16 20:25:40 al02.yyyy.com.ar systemd[1]: Started Packet Filtering Framework.

After this test i reboot the al02 server one more time without errors...

Service file:

[user@al02 ~]$ sudo systemctl cat iptables.service
# /usr/lib/systemd/system/iptables.service
[Unit]
Description=Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target

[Service]
Type=oneshot
ExecStart=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/usr/bin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/usr/lib/systemd/scripts/iptables-flush
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

When it fails only (some) filters are created with the default policy ACCEPT, but no rule added. Example:

Chain INPUT (policy ACCEPT 4597 packets, 1609K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4519 packets, 1312K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain sshguard (0 references)
 pkts bytes target     prot opt in     out     source               destination

Maybe some conflict with sshguard? In the rules created when the service fails no TCP or UDP filter is added...

This is the thread on reddit with the examples from my home systems (In which I cannot recreate the error after three reboots): https://www.reddit.com/r/archlinux/comm … filtering/

Last edited by ThecaTTony (2017-04-06 19:57:41)

Offline

#2 2017-03-22 23:54:19

nfm
Member
Registered: 2008-06-13
Posts: 66

Re: [SOLVED] Failed to start Packet Filtering Framework/sshguard conflict

Hello ThecaTTony,

I can confirm, having the same issue. I looked at it and there's nothing wrong with my iptables or sshguard. Running iptables-restore manually succeeds, there are no errors in my /etc/iptables/iptables.rules and yet systemd at boot fails to start iptables saying that the COMMIT line 148 failed.

I have no idea what's going and it has been frustrating so far.

Last edited by nfm (2017-03-23 00:06:03)

Offline

#3 2017-03-25 11:20:51

kadafax
Member
Registered: 2017-03-25
Posts: 7

Re: [SOLVED] Failed to start Packet Filtering Framework/sshguard conflict

Same here, also with sshguard. After the system has booted, systemctl start iptables.service finally works.
I have the same unit file as the OP.

Offline

#4 2017-03-28 10:42:48

Grossi_Claps
Member
Registered: 2017-03-28
Posts: 5

Re: [SOLVED] Failed to start Packet Filtering Framework/sshguard conflict

I had the very same problem, sshguard installed and iptables randomly failing at boot. COMMIT at the last line failed.

I'm using this workaround for the moment in iptables.service

[Service]
Type=simple
Restart=on-failure
...

Offline

#5 2017-03-28 10:46:23

parchd
Member
Registered: 2014-03-08
Posts: 421

Re: [SOLVED] Failed to start Packet Filtering Framework/sshguard conflict

Same issue here, and I also run sshguard. Some sort of race condition?

Offline

#6 2017-03-31 05:44:19

kyzxr
Member
Registered: 2017-03-31
Posts: 3

Re: [SOLVED] Failed to start Packet Filtering Framework/sshguard conflict

Same issue. The thread's common theme of sshguard/iptables and @parchd's comment about a race condition led me to looking at sshguard for the problem..

The current version of sshguard systemd config lists 'After=iptables.target' in the [Unit] section (/usr/lib/systemd/system/sshguard.service). However, iptables service name is 'iptables.service'. Presumably this changed at some point and sshguard has not been updated with the new service name. Adding the line 'After=iptables.service' forces sshguard to wait until iptables is started to run and this fixes the issue.

Offline

#7 2017-03-31 08:14:40

parchd
Member
Registered: 2014-03-08
Posts: 421

Re: [SOLVED] Failed to start Packet Filtering Framework/sshguard conflict

kyzxr wrote:

The current version of sshguard systemd config lists 'After=iptables.target' in the [Unit] section (/usr/lib/systemd/system/sshguard.service). However, iptables service name is 'iptables.service'.

Nice catch - I looked at those files but my brain filtered out the difference between iptables.target and iptables.service.
Any chance you could open an issue on the sshguard bug tracker about it?

Edit:

URL: https://bitbucket.org/sshguard/sshguard/issues

Last edited by parchd (2017-03-31 08:14:58)

Offline

#8 2017-03-31 23:22:27

kyzxr
Member
Registered: 2017-03-31
Posts: 3

Re: [SOLVED] Failed to start Packet Filtering Framework/sshguard conflict

Thanks for the link. I submitted a bug report:

https://bitbucket.org/sshguard/sshguard … s-conflict

Offline

#9 2017-04-06 19:56:09

ThecaTTony
Member
From: Argentina
Registered: 2012-04-10
Posts: 10
Website

Re: [SOLVED] Failed to start Packet Filtering Framework/sshguard conflict

Another way to fix the fail is to override the sshguard.service so that the sshguard filter is not created, since it is added by iptables.file

# /usr/lib/systemd/system/sshguard.service
# sshguard.service -- sample systemd unit file

[Unit]
Description=Intelligently block brute-force attacks by aggregating system logs
After=syslog.target
After=iptables.target
After=ip6tables.target
After=libvirtd.service
After=firewalld.service

[Service]
ExecStartPre=-/usr/sbin/iptables -N sshguard
ExecStart=/usr/sbin/sshguard
Restart=always

[Install]
WantedBy=multi-user.target
# /etc/systemd/system/sshguard.service.d/override.conf
[Service]
ExecStartPre=

Offline

#10 2017-04-07 12:17:41

parchd
Member
Registered: 2014-03-08
Posts: 421

Re: [SOLVED] Failed to start Packet Filtering Framework/sshguard conflict

sshguard have marked this as wontfix as the service file is only meant to serve as an example to package maintainers, not be used directly.

Offline

Pages: 1

Board footer

Powered by FluxBB