You are not logged in.
- Topics: Active | Unanswered
#1 2021-10-29 14:34:07
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
[SOLVED] Ip6tables firewall give me error at last line but is correct
cat /etc/iptables/ip6tables.rules
# Generated by iptables-save v1.8.7 on Fri Oct 22 08:14:17 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
#-A OUTPUT ! -d 127.0.0.1/8 -m addrtype --dst-type LOCAL -j DOCKER #Why is this wrong? Can't find the network
#-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE #Why is this wrong? Can't find the network
-A POSTROUTING -o enp2s0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Oct 22 08:14:17 2021
# Generated by iptables-save v1.8.7 on Fri Oct 22 08:14:17 2021
*filter
:INPUT DROP [O:O]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:monitorix_IN_0 - [0:0]
:monitorix_IN_1 - [0:0]
:monitorix_IN_2 - [0:0]
:monitorix_IN_3 - [0:0]
:monitorix_IN_4 - [0:0]
:monitorix_IN_5 - [0:0]
:monitorix_IN_6 - [0:0]
:monitorix_IN_7 - [0:0]
:monitorix_IN_8 - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 143 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_8
-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_7
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 3306 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_6
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 139 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_5
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 110 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_4
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_3
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_2
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_1
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 25 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_0
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 546 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 55000:55111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50000:50010 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m tcp --dport 546 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6881 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp6s0 -o enp2s0 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 143 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_8
-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_7
-A OUTPUT -p tcp -m tcp --sport 3306 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_6
-A OUTPUT -p tcp -m tcp --sport 139 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_5
-A OUTPUT -p tcp -m tcp --sport 110 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_4
-A OUTPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_3
-A OUTPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_2
-A OUTPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_1
-A OUTPUT -p tcp -m tcp --sport 25 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_0
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT #ERROR at this line but when i delete this line its coming a error that COMMIT neededsudo systemctl status ip6tables
× ip6tables.service - IPv6 Packet Filtering Framework
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2021-10-29 16:32:51 CEST; 3s ago
Process: 146167 ExecStart=/usr/bin/ip6tables-restore /etc/iptables/ip6tables.rules (code=exited, status=1/FAILURE)
Main PID: 146167 (code=exited, status=1/FAILURE)
CPU: 5ms
Oct 29 16:32:51 5erver systemd[1]: Starting IPv6 Packet Filtering Framework...
Oct 29 16:32:51 5erver ip6tables-restore[146167]: ip6tables-restore: line 82 failed
Oct 29 16:32:51 5erver systemd[1]: ip6tables.service: Main process exited, code=exited, status=1/FAILURE
Oct 29 16:32:51 5erver systemd[1]: ip6tables.service: Failed with result 'exit-code'.
Oct 29 16:32:51 5erver systemd[1]: Failed to start IPv6 Packet Filtering FrameworkI commented this line which gives me errors but I can't understand why is a error at last line
Last edited by Morta (2021-10-30 12:40:02)
Offline
#2 2021-10-29 14:46:27
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,922
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
ip6tables-restore --test --verbose /etc/iptables/ip6tables.rulesOffline
#3 2021-10-29 15:01:26
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
ip6tables-restore --test --verbose /etc/iptables/ip6tables.rules
sudo ip6tables-restore --test --verbose /etc/iptables/ip6tables.rules
# Generated by iptables-save v1.8.7 on Fri Oct 22 08:14:17 2021
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `DOCKER'
Deleting chain `DOCKER'
#-A OUTPUT ! -d 127.0.0.1/8 -m addrtype --dst-type LOCAL -j DOCKER
#-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
# Completed on Fri Oct 22 08:14:17 2021
# Generated by iptables-save v1.8.7 on Fri Oct 22 08:14:17 2021
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
[morta@5erver ~]$ sudo ip6tables-restore --test --verbose /etc/iptables/ip6tables.rules
# Generated by iptables-save v1.8.7 on Fri Oct 22 08:14:17 2021
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `DOCKER'
Deleting chain `DOCKER'
#-A OUTPUT ! -d 127.0.0.1/8 -m addrtype --dst-type LOCAL -j DOCKER
#-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
# Completed on Fri Oct 22 08:14:17 2021
# Generated by iptables-save v1.8.7 on Fri Oct 22 08:14:17 2021
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'sudo systemctl status ip6tables
× ip6tables.service - IPv6 Packet Filtering Framework
Loaded: loaded (/usr/lib/systemd/system/ip6tables.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2021-10-29 17:02:29 CEST; 3s ago
Process: 149022 ExecStart=/usr/bin/ip6tables-restore /etc/iptables/ip6tables.rules (code=exited, status=1/FAILURE)
Main PID: 149022 (code=exited, status=1/FAILURE)
CPU: 3ms
Oct 29 17:02:29 5erver systemd[1]: Starting IPv6 Packet Filtering Framework...
Oct 29 17:02:29 5erver ip6tables-restore[149022]: ip6tables-restore: line 82 failed
Oct 29 17:02:29 5erver systemd[1]: ip6tables.service: Main process exited, code=exited, status=1/FAILURE
Oct 29 17:02:29 5erver systemd[1]: ip6tables.service: Failed with result 'exit-code'.
Oct 29 17:02:29 5erver systemd[1]: Failed to start IPv6 Packet Filtering Framework.Same error after test and verbose
#-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
#-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADEWhy are this two line wrong?
Last edited by Morta (2021-10-29 15:06:58)
Offline
#4 2021-10-29 15:13:11
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,922
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
Ah, you had already isolated the faulty lines - sorry.
Well
ip6tables-restore
#-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
#-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
Offline
#5 2021-10-29 15:50:35
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
Ah, you had already isolated the faulty lines - sorry.
Well
ip6tables-restore
#-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
#-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
Should be the same?
These lines are autogenerated by docker but i don’t know where i can find the original
Offline
#6 2021-10-29 15:52:36
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,922
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
Offline
#7 2021-10-29 16:11:28
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
I know these are IPv4 addresses but the wired think I didn't add it.
but you are right I'm not very common with ipv6.
I should buy a German book and read it.
Last edited by Morta (2021-10-29 16:35:23)
Offline
#8 2021-10-29 17:05:46
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
I will move to nftables. How long is sudo ip6tables-restore during? In htop is the process not very busy.
I'm waiting till more than one hour...something is wrong...
Last edited by Morta (2021-10-29 18:20:10)
Offline
#9 2021-10-29 18:34:48
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,279
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
iptables-restore without a file argument will read data from stdin. if you do not feed it any, then it will wait indefinitely.
Otherwise it will be nearly instant.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#10 2021-10-29 18:41:23
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
iptables-restore without a file argument will read data from stdin. if you do not feed it any, then it will wait indefinitely.
Otherwise it will be nearly instant.
ok so i have to do
sudo ip6tables-restore < /etc/iptables/ip6tables.rulesGot me a error at last line and there is COMMIT. If I delete it gives me a error that COMMIT is expect there.
What i'm doing wrong? I something kills my ip6tables rules config
Last edited by Morta (2021-10-29 18:46:23)
Offline
#11 2021-10-30 07:31:34
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,922
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
Please post the actual rules file and the actual IO.
Also test/verbose it and post the complete output. No paraphrasing like "there's an error"
Ftr. ip6tables-restore either reads from STD or accepts a file as last parameter, so the command I posted in #2 will do the job.
Again: don't tell us "there's an error" - post the actual and complete I/O
And if you still have the IPv4 segments in there, I'll use mean words
https://de.wikipedia.org/wiki/IPv6
These lines are autogenerated by docker but i don’t know where i can find the original
Autogenerated "how"?
The rules file says
# Generated by iptables-save v1.8.7 on Fri Oct 22 08:14:17 2021
…
# Generated by iptables-save v1.8.7 on Fri Oct 22 08:14:17 2021
No mention of ip6tables-save - do you maybe simply want to "iptables-restore"?
Offline
#12 2021-10-30 11:17:53
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
journalctl -xeu ip6tables.service
░░ An ExecStart= process belonging to unit ip6tables.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Oct 29 17:02:29 5erver systemd[1]: ip6tables.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit ip6tables.service has entered the 'failed' state with result 'exit-code'.
Oct 29 17:02:29 5erver systemd[1]: Failed to start IPv6 Packet Filtering Framework.
░░ Subject: A start job for unit ip6tables.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit ip6tables.service has finished with a failure.
░░
░░ The job identifier is 10367 and the job result is failed.
Oct 29 20:52:26 5erver systemd[1]: Starting IPv6 Packet Filtering Framework...
░░ Subject: A start job for unit ip6tables.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit ip6tables.service has begun execution.
░░
░░ The job identifier is 10605.
Oct 29 20:52:26 5erver ip6tables-restore[170005]: ip6tables-restore: line 82 failed
Oct 29 20:52:26 5erver systemd[1]: ip6tables.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ An ExecStart= process belonging to unit ip6tables.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Oct 29 20:52:26 5erver systemd[1]: ip6tables.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit ip6tables.service has entered the 'failed' state with result 'exit-code'.
Oct 29 20:52:26 5erver systemd[1]: Failed to start IPv6 Packet Filtering Framework.
░░ Subject: A start job for unit ip6tables.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit ip6tables.service has finished with a failure.
░░
░░ The job identifier is 10605 and the job result is failed.
Oct 29 20:55:45 5erver systemd[1]: Starting IPv6 Packet Filtering Framework...
░░ Subject: A start job for unit ip6tables.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit ip6tables.service has begun execution.
░░
░░ The job identifier is 10724.
Oct 29 20:55:45 5erver ip6tables-restore[170258]: ip6tables-restore: line 82 failed
Oct 29 20:55:45 5erver systemd[1]: ip6tables.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ An ExecStart= process belonging to unit ip6tables.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Oct 29 20:55:45 5erver systemd[1]: ip6tables.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit ip6tables.service has entered the 'failed' state with result 'exit-code'.
Oct 29 20:55:45 5erver systemd[1]: Failed to start IPv6 Packet Filtering Framework.
░░ Subject: A start job for unit ip6tables.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit ip6tables.service has finished with a failure.
░░
░░ The job identifier is 10724 and the job result is failed.
Oct 29 21:03:31 5erver systemd[1]: Starting IPv6 Packet Filtering Framework...
░░ Subject: A start job for unit ip6tables.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit ip6tables.service has begun execution.
░░
░░ The job identifier is 10843.
Oct 29 21:03:31 5erver ip6tables-restore[170954]: Bad argument `*filter'
Oct 29 21:03:31 5erver ip6tables-restore[170954]: Error occurred at line: 10
Oct 29 21:03:31 5erver ip6tables-restore[170954]: Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Oct 29 21:03:31 5erver systemd[1]: ip6tables.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ An ExecStart= process belonging to unit ip6tables.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 2.
Oct 29 21:03:31 5erver systemd[1]: ip6tables.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ The unit ip6tables.service has entered the 'failed' state with result 'exit-code'.
Oct 29 21:03:31 5erver systemd[1]: Failed to start IPv6 Packet Filtering Framework.
░░ Subject: A start job for unit ip6tables.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit ip6tables.service has finished with a failure.
░░
░░ The job identifier is 10843 and the job result is failed.cat /etc/iptables/ip6tables.rules
# Generated by iptables-save v1.8.7 on Fri Oct 22 08:14:17 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
# Completed on Fri Oct 22 08:14:17 2021
# Generated by iptables-save v1.8.7 on Fri Oct 22 08:14:17 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:monitorix_IN_0 - [0:0]
:monitorix_IN_1 - [0:0]
:monitorix_IN_2 - [0:0]
:monitorix_IN_3 - [0:0]
:monitorix_IN_4 - [0:0]
:monitorix_IN_5 - [0:0]
:monitorix_IN_6 - [0:0]
:monitorix_IN_7 - [0:0]
:monitorix_IN_8 - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 143 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_8
-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_7
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 3306 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_6
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 139 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_5
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 110 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_4
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 22 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_3
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_2
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_1
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 25 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j monitorix_IN_0
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 546 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 55000:55111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50000:50010 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m tcp --dport 546 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6881 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp6s0 -o enp2s0 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 143 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_8
-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_7
-A OUTPUT -p tcp -m tcp --sport 3306 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_6
-A OUTPUT -p tcp -m tcp --sport 139 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_5
-A OUTPUT -p tcp -m tcp --sport 110 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_4
-A OUTPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_3
-A OUTPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_2
-A OUTPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_1
-A OUTPUT -p tcp -m tcp --sport 25 --dport 1024:65535 -m conntrack --ctstate RELATED,ESTABLISHED -j monitorix_IN_0
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMITGive me a error at line 18 *filter but that seems correct and line 83 COMMIT but also seems correct
Docker added the rules when I installed Docker. IN IPv4 and IPv6 iptables!
Last edited by Morta (2021-10-30 11:19:28)
Offline
#13 2021-10-30 11:46:12
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,922
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
journalctl -xeu ip6tables.service
Never use "-x", that's just spam.
Give me a error at line
Again: don't tell us "there's an error" - post the actual and complete I/O
You're now not commiting the NAT rules.
Docker added the rules when I installed Docker. IN IPv4 and IPv6 iptables!
Sorry, I don't see anything in the docker package that would write some /etc/iptables/ip6tables.rules and the rules itself say they were generated by "iptables-save" - something™ stored the IPv4 tables in that file and it doesn't look like it's the systemd services provided by iptables.
I assume that something was someone and that someone was your running "ip6tables-save -f /etc/iptables/iptables.rules" instead of "iptables-save -f /etc/iptables/iptables.rules"or "ip6tables-save -f /etc/iptables/ip6tables.rules"
Disable ip6tables.service and start iptables.service… and fix the rules file.
Offline
#14 2021-10-30 12:26:15
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
journalctl -xeu ip6tables.service
Never use "-x", that's just spam.
Give me a error at line
seth wrote:Again: don't tell us "there's an error" - post the actual and complete I/O
You're now not commiting the NAT rules.
Docker added the rules when I installed Docker. IN IPv4 and IPv6 iptables!
Sorry, I don't see anything in the docker package that would write some /etc/iptables/ip6tables.rules and the rules itself say they were generated by "iptables-save" - something™ stored the IPv4 tables in that file and it doesn't look like it's the systemd services provided by iptables.
I assume that something was someone and that someone was your running "ip6tables-save -f /etc/iptables/iptables.rules" instead of "iptables-save -f /etc/iptables/iptables.rules"or "ip6tables-save -f /etc/iptables/ip6tables.rules"Disable ip6tables.service and start iptables.service… and fix the rules file.
Iptables service is running, only ip6tables isn‘t it.
The iptables rules are not the same as ip6tables rules and i didn‘t fail at that point.
I‘m sure that i didn’t add the docker rules but anyway.
You don’t see any error in the rules?
I will start from scratch with the ip6tables rules, when nobody see a error in the file.
Offline
#15 2021-10-30 12:39:28
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
I deleted all DOOCKER entries after I run sudo ip6tables -f /etc/ip6tables/ip6tables.rules
Now it's possible to execute sudo systemctl start ip6tables
Offline
#16 2021-10-30 12:54:26
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,922
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
OOC: With the docker entries, does "ip6tables -f /etc/ip6tables/ip6tables.rules" seriously write the IPv4 segments? What does the updated file look like?
Offline
#17 2021-10-30 13:41:46
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
cat /etc/iptables/ip6tables.rules
# Generated by ip6tables-save v1.8.7 on Sat Oct 30 15:02:35 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i br0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d ff02::fb -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
# open port 53
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 53 -j ACCEPT
# open port 22
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
# open port ftp rtorrent speedtest tcp
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 55000:55111 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 50000:50010 -j ACCEPT
#open port speedtest rtorrent dns udp
-A RH-Firewall-1-INPUT -m udp -p udp --dport 546 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 6881 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp --dport 8080 -j ACCEPT
# open port 80 & 443
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
# Completed on Sat Oct 30 15:02:35 2021
# Generated by ip6tables-save v1.8.7 on Sat Oct 30 15:02:35 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sat Oct 30 15:02:35 2021My new working ip6tables firewall
Offline
#18 2021-10-30 13:58:54
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,922
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
# Generated by ip6tables-save v1.8.7 on Sat Oct 30 15:02:35 2021
I'm fairly confident that the problem wasn't docker but that the original rules w/ the IPv4 segment were dumped by iptables-save and not ip6tables-save - so ip6tables-restore stumbled over the IPv4 segment.
Just in case you intend to re-install docker at any point.
Offline
#19 2021-10-30 16:00:18
- Morta
- Member
- Registered: 2019-07-07
- Posts: 660
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
# Generated by ip6tables-save v1.8.7 on Sat Oct 30 15:02:35 2021
I'm fairly confident that the problem wasn't docker but that the original rules w/ the IPv4 segment were dumped by iptables-save and not ip6tables-save - so ip6tables-restore stumbled over the IPv4 segment.
Just in case you intend to re-install docker at any point.
Ok. Thanks for your support you know Arch Linux as your pocket.
What is the difference between iptables and nftables?
nftables is the next generation but is also more secure?
Offline
#20 2021-10-30 19:08:35
- seth
- Member
- Registered: 2012-09-03
- Posts: 60,922
Re: [SOLVED] Ip6tables firewall give me error at last line but is correct
https://www.computerweekly.com/de/ratge … s-beachten
https://wiki.nftables.org/wiki-nftables … h_iptables
https://ungleich.ch/en-us/cms/blog/2018 … -nftables/
https://linuxhandbook.com/iptables-vs-nftables/
The netfilter itself is inside the kernel, so security is down to the userspace level and not a state but a concept: Once iptables should stop being actively maintained, it'll become increasingly "insecure" to use, because nobody fixes bugs.
Offline