Mageia forum

by **sln123** » Nov 14th, '19, 00:40

Hi all,

I'm having trouble making my iptables rules persistent. I'm also having trouble getting my display manager working, so I'm doing this entirely from command line. I have a script that basically opens ssh port 22 and samba ports udb-137 and 138 and tcp-139 and 445 and that works great when I run the script from the command line. But when I reboot, I lose ssh and samba access to the system until I manually run the script. There are lots of suggested solutions on the web, but I haven't gotten any to work for me in Mageia:

I tried using iptables-save > /etc/sysconfig/iptables (to test adding to boot using systemctl), but iptables-restore < /etc/sysconfig/iptables reports errors with the default rules (not my rules).
I tried creating rc.local to run my script, but journalctl tells me rc.local is run one second before iptables is started, so it does not add my rules.
I've read about iptables-persistent for fedora, but i do not see that package for Mageia.
I've read about firewalld, but I can't tell if it is compatible with Mageia and how to make it work with or instead of Shorewall.

My system is currently doing a long fsck from my failed graphics handling, but I can provide details like journalctl output or specific errors reported by iptables-restore when I get it back up.

So my question is what is the best way to make iptables rules persistent in Mageia 7.1 from the command line?

Thanks

Phil

by **sln123** » Nov 14th, '19, 02:55

More info:

Here is the error when running iptables-restore < /etc/sysconfig/iptables:

Code: Select all: iptables-restore v1.8.2 (legacy): Couldn't load match `psd--psd-weight-threshold':No such file or directory Error occurred at line: 101 Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Here is my full /etc/sysconfig/iptables. It is basically default plus ssh, plus samba rules. I blocked out the IP address references with XXX:

Code: Select all: # Generated by iptables-save v1.8.2 on Tue Nov 12 20:29:35 2019 *mangle :PREROUTING ACCEPT [1215:121299] :INPUT ACCEPT [1215:121299] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [248:24091] :POSTROUTING ACCEPT [248:24091] :tcfor - [0:0] :tcin - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre - [0:0] -A PREROUTING -j tcpre -A INPUT -j tcin -A FORWARD -j MARK --set-xmark 0x0/0xff -A FORWARD -j tcfor -A OUTPUT -j tcout -A POSTROUTING -j tcpost COMMIT # Completed on Tue Nov 12 20:29:35 2019 # Generated by iptables-save v1.8.2 on Tue Nov 12 20:29:35 2019 *nat :PREROUTING ACCEPT [953:98885] :INPUT ACCEPT [7:412] :OUTPUT ACCEPT [24:1799] :POSTROUTING ACCEPT [24:1799] COMMIT # Completed on Tue Nov 12 20:29:35 2019 # Generated by iptables-save v1.8.2 on Tue Nov 12 20:29:35 2019 *raw :PREROUTING ACCEPT [1215:121299] :OUTPUT ACCEPT [248:24091] -A PREROUTING -p udp -m udp --dport 10080 -j CT --helper amanda -A PREROUTING -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper ftp -A PREROUTING -p udp -m udp --dport 1719 -j CT --helper RAS -A PREROUTING -p tcp -m tcp --dport 1720 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper Q.931 -A PREROUTING -p tcp -m tcp --dport 6667 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper irc -A PREROUTING -p udp -m udp --dport 137 -j CT --helper netbios-ns -A PREROUTING -p tcp -m tcp --dport 1723 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper pptp -A PREROUTING -p tcp -m tcp --dport 6566 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper sane -A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip -A PREROUTING -p udp -m udp --dport 161 -j CT --helper snmp -A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp -A OUTPUT -p udp -m udp --dport 10080 -j CT --helper amanda -A OUTPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper ftp -A OUTPUT -p udp -m udp --dport 1719 -j CT --helper RAS -A OUTPUT -p tcp -m tcp --dport 1720 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper Q.931 -A OUTPUT -p tcp -m tcp --dport 6667 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper irc -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns -A OUTPUT -p tcp -m tcp --dport 1723 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper pptp -A OUTPUT -p tcp -m tcp --dport 6566 --tcp-flags FIN,SYN,RST,ACK SYN -j CT --helper sane -A OUTPUT -p udp -m udp --dport 5060 -j CT --helper sip -A OUTPUT -p udp -m udp --dport 161 -j CT --helper snmp -A OUTPUT -p udp -m udp --dport 69 -j CT --helper tftp COMMIT # Completed on Tue Nov 12 20:29:35 2019 # Generated by iptables-save v1.8.2 on Tue Nov 12 20:29:35 2019 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :Ifw - [0:0] :dynamic - [0:0] :fw-net - [0:0] :logdrop - [0:0] :logflags - [0:0] :logreject - [0:0] :net-fw - [0:0] :reject - [0:0] :sha-lh-1968f2bf9943e81b25e5 - [0:0] :sha-rh-53d2dcf425a9d861f0f7 - [0:0] :shorewall - [0:0] :tcpflags - [0:0] -A INPUT -s XXX.XXX.XXX.0/24 -d XXX.XXX.XXX.XXX/32 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -s XXX.XXX.XXX.0/24 -d XXX.XXX.XXX.XXX/32 -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -s XXX.XXX.XXX.0/24 -d XXX.XXX.XXX.XXX/32 -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT -A INPUT -s XXX.XXX.XXX.0/24 -d XXX.XXX.XXX.XXX/32 -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT -A INPUT -s XXX.XXX.XXX.0/24 -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -j Ifw -A INPUT -i enp4s0 -j net-fw -A INPUT -i lo -j ACCEPT -A INPUT -m addrtype --dst-type BROADCAST -j DROP -A INPUT -m addrtype --dst-type ANYCAST -j DROP -A INPUT -m addrtype --dst-type MULTICAST -j DROP -A INPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "INPUT REJECT " --log-level 6 -A INPUT -g reject -A FORWARD -m addrtype --dst-type BROADCAST -j DROP -A FORWARD -m addrtype --dst-type ANYCAST -j DROP -A FORWARD -m addrtype --dst-type MULTICAST -j DROP -A FORWARD -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "FORWARD REJECT " --log-level 6 -A FORWARD -g reject -A OUTPUT -o enp4s0 -j fw-net -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m addrtype --dst-type BROADCAST -j DROP -A OUTPUT -m addrtype --dst-type ANYCAST -j DROP -A OUTPUT -m addrtype --dst-type MULTICAST -j DROP -A OUTPUT -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "OUTPUT REJECT " --log-level 6 -A OUTPUT -g reject -A Ifw -m set --match-set ifw_wl src -j RETURN -A Ifw -m set --match-set ifw_bl src -j DROP -A Ifw -m conntrack --ctstate INVALID,NEW -m psd--psd-weight-threshold 10 --psd-delay-threshold 10000 --psd-lo-ports-weight 2 --psd-hi-ports-weight 1 -j IFWLOG--log-prefix "SCAN" -A fw-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A fw-net -j ACCEPT -A logdrop -j DROP -A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "logflags DROP " --log-level 6 --log-ip-options -A logflags -j DROP -A logreject -j reject -A net-fw -m conntrack --ctstate INVALID,NEW,UNTRACKED -j dynamic -A net-fw -p tcp -j tcpflags -A net-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A net-fw -m addrtype --dst-type BROADCAST -j DROP -A net-fw -m addrtype --dst-type ANYCAST -j DROP -A net-fw -m addrtype --dst-type MULTICAST -j DROP -A net-fw -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "net-fw DROP " --log-level 6 -A net-fw -j DROP -A reject -m addrtype --src-type BROADCAST -j DROP -A reject -s 224.0.0.0/4 -j DROP -A reject -p igmp -j DROP -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -p udp -j REJECT --reject-with icmp-port-unreachable -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject -j REJECT --reject-with icmp-host-prohibited -A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags -A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags COMMIT # Completed on Tue Nov 12 20:29:35 2019

To see the right lines, here are the commands around line 101 with line numbers added:

Code: Select all: 98: -A Ifw -m set --match-set ifw_wl src -j RETURN 99: -A Ifw -m set --match-set ifw_bl src -j DROP 100: -A Ifw -m conntrack --ctstate INVALID,NEW -m psd--psd-weight-threshold 10 --psd-delay-threshold 10000 --psd-lo-ports-weight 2 --psd-hi-ports-weight 1 -j IFWLOG--log-prefix "SCAN" 101: -A fw-net -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 102: -A fw-net -j ACCEPT

And finally, here is my script that successfully adds my ssh and samba rules:

Code: Select all: iptables -I INPUT -p tcp -s XXX.XXX.XXX.0/24 -d XXX.XXX.XXX.XXX --destination-port 22 -j ACCEPT iptables -I INPUT -p udp -s XXX.XXX.XXX.0/24 -d XXX.XXX.XXX.XXX -m state --state NEW --destination-port 137 -j ACCEPT iptables -I INPUT -p udp -s XXX.XXX.XXX.0/24 -d XXX.XXX.XXX.XXX -m state --state NEW --destination-port 138 -j ACCEPT iptables -I INPUT -p tcp -s XXX.XXX.XXX.0/24 -d XXX.XXX.XXX.XXX -m state --state NEW --destination-port 139 -j ACCEPT iptables -I INPUT -p tcp -s XXX.XXX.XXX.0/24 -d XXX.XXX.XXX.XXX -m state --state NEW --destination-port 445 -j ACCEPT

And here is an excerpt from journalctl output showing the timestamps indicating when rc.local is run and when iptables and shorewall are started:

Code: Select all: <...snip...> Nov 12 19:47:54 DB2-Backup systemd[1]: Starting /etc/rc.d/rc.local Compatibility... <...snip...> Nov 12 19:47:54 DB2-Backup shorewall[1521]: Starting Shorewall.... Nov 12 19:47:55 DB2-Backup shorewall[1521]: Initializing... Nov 12 19:47:54 DB2-Backup systemd[1]: Started OpenSSH server daemon. Nov 12 19:47:54 DB2-Backup sshd[1519]: Server listening on 0.0.0.0 port 22. Nov 12 19:47:54 DB2-Backup sshd[1519]: Server listening on :: port 22. Nov 12 19:47:55 DB2-Backup systemd[1]: plymouth-quit-wait.service: Succeeded. Nov 12 19:47:55 DB2-Backup systemd[1]: Started Hold until boot process finishes up. Nov 12 19:47:55 DB2-Backup systemd[1]: Received SIGRTMIN+21 from PID 324 (plymouthd). Nov 12 19:47:55 DB2-Backup systemd[1]: Started Getty on tty1. Nov 12 19:47:55 DB2-Backup systemd[1]: Reached target Login Prompts. Nov 12 19:47:55 DB2-Backup systemd[1]: plymouth-quit.service: Succeeded. Nov 12 19:47:55 DB2-Backup systemd[1]: Started Terminate Plymouth Boot Screen. Nov 12 19:47:55 DB2-Backup shorewall[1521]: Processing /etc/shorewall/init ... Nov 12 19:47:55 DB2-Backup shorewall[1521]: Processing /etc/shorewall/tcclear ... Nov 12 19:47:55 DB2-Backup shorewall[1521]: Setting up Route Filtering... Nov 12 19:47:55 DB2-Backup shorewall[1521]: Setting up Martian Logging... Nov 12 19:47:55 DB2-Backup shorewall[1521]: Setting up Proxy ARP... Nov 12 19:47:55 DB2-Backup shorewall[1521]: Preparing iptables-restore input... Nov 12 19:47:55 DB2-Backup shorewall[1521]: Running /sbin/iptables-restore --wait 60... Nov 12 19:47:55 DB2-Backup shorewall[1521]: Processing /etc/shorewall/start ... Nov 12 19:47:55 DB2-Backup kernel: netfilter PSD loaded - (c) astaro AG Nov 12 19:47:55 DB2-Backup kernel: IFWLOG: register target Nov 12 19:47:55 DB2-Backup kernel: net-fw DROP IN=enp4s0 OUT= MAC=00:22:19:2f:ac:5a:d4:ae:52:b7:a0:24:08:00 SRC=XXX.XXX.XXX.XXX DST=XXX.XXX.XXX.XXX LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=11739 DF PROTO=TCP SPT=40452 DPT=445 WINDOW=29200 RES=0x00 SYN URGP=0 Nov 12 19:47:55 DB2-Backup shorewall[1521]: Processing /etc/shorewall/started ... Nov 12 19:47:55 DB2-Backup root[1670]: Shorewall started Nov 12 19:47:55 DB2-Backup shorewall[1521]: done. Nov 12 19:47:55 DB2-Backup systemd[1]: Started Shorewall IPv4 firewall. Nov 12 19:47:55 DB2-Backup systemd[1]: Starting Shorewall IPv6 firewall... Nov 12 19:47:55 DB2-Backup shorewall[1674]: Starting Shorewall6.... Nov 12 19:47:55 DB2-Backup shorewall[1674]: Initializing... Nov 12 19:47:55 DB2-Backup shorewall[1674]: Processing /etc/shorewall6/init ... Nov 12 19:47:55 DB2-Backup shorewall[1674]: Setting up Proxy NDP... Nov 12 19:47:55 DB2-Backup shorewall[1674]: Preparing ip6tables-restore input... Nov 12 19:47:55 DB2-Backup shorewall[1674]: Running /sbin/ip6tables-restore --wait 60... Nov 12 19:47:55 DB2-Backup shorewall[1674]: Processing /etc/shorewall6/start ... Nov 12 19:47:55 DB2-Backup shorewall[1674]: Processing /etc/shorewall6/started ... Nov 12 19:47:55 DB2-Backup root[1769]: Shorewall6 started Nov 12 19:47:55 DB2-Backup shorewall[1674]: done. Nov 12 19:47:55 DB2-Backup systemd[1]: Started Shorewall IPv6 firewall. Nov 12 19:47:56 DB2-Backup systemd[1]: Started Samba SMB Daemon. Nov 12 19:47:56 DB2-Backup systemd[1]: Reached target Multi-User System. Nov 12 19:47:56 DB2-Backup systemd[1]: Starting Update UTMP about System Runlevel Changes... Nov 12 19:47:56 DB2-Backup smbd[1523]: [2019/11/12 19:47:56.302187, 0] ../../lib/util/become_daemon.c:136(daemon_ready) Nov 12 19:47:56 DB2-Backup smbd[1523]: daemon_ready: daemon 'smbd' finished starting up and ready to serve connections Nov 12 19:47:56 DB2-Backup systemd[1]: systemd-update-utmp-runlevel.service: Succeeded. Nov 12 19:47:56 DB2-Backup systemd[1]: Started Update UTMP about System Runlevel Changes. Nov 12 19:47:56 DB2-Backup systemd[1]: Startup finished in 4.287s (kernel) + 31.595s (userspace) = 35.882s. <...snip...>

Thanks

Phil

by **sln123** » Nov 14th, '19, 03:38

I got iptables-restore to accept my file from iptables-save by adding a space in the offending line in two places:

after -m psd and before --psd-weight-threshold 10
after -j IFWLOG and before --log-prefix "SCAN"

Basically there was no space before those command line options indicated by -- so it considered it part of the earlier option. But note that these are rules I did not create that were saved by iptables-save, so it seems like a bug if the default rules cause syntax errors.

Also, I do not have this working yet because I do not know how and where to run iptables-restore. I was working from the page: https://serverfault.com/questions/72318 ... t-rc-local, which says:

Put your firewall rules into /etc/sysconfig/iptables in the normal way, using iptables-save > /etc/sysconfig/iptables, clear your rules, then do systemctl start iptables.service to apply them. If iptables -L -n -v confirms they've taken, do systemctl enable iptables.service to start them at boot time.

But following these steps basically clears all my rules when I run systemctl start iptables.service.

In Mageia, can I use the iptables service to restore iptables rules at boot from /etc/sysconfig/iptables? Or how do I need to run iptables-restore during boot for Mageia when rc.local is run before iptables starts?

Thanks

Phil

by **doktor5000** » Nov 14th, '19, 12:59

For some of your questions:

iptables.service is supposed to run /usr/libexec/iptables.init which then runs /sbin/iptables-restore, which reads the rules from /etc/sysconfig/iptables
So if iptables.service is enabled and your config is fine, then it should work. Can you please show the output as root of

Code: Select all: systemctl is-enabled iptables.service systemctl status iptables.service -al -n150

Although, why don't you simply use drakfirewall to configure those firewall rules? http://doc.mageia.org/mcc/7/en/content/ ... akfirewall

by **sln123** » Nov 14th, '19, 21:13

Hi doktor5000,

systemctl is-enabled iptables.service outputs:

Code: Select all: enabled

systemctl status iptables.service -al -n150 ouputs:

Code: Select all: â— iptables.service - iptables Firewall for IPv4 Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled) Active: inactive (dead)

I would normally use drakfirewall, but this is the system where I haven't gotten the desktop/GUI/display manager working yet.

Thanks
Phil

by **sln123** » Nov 14th, '19, 23:29

Also after your explanation of how iptables-restore works, I thought the boot log might be useful.

So shortly after gathering the info shown in the previous post with no changes to services, I rebooted the system. My rules were not added and I could not connect using ssh or samba. Here is the relevant section of output from journalctl -ab containing relevant firewall startup info:

Code: Select all: Nov 14 12:11:17 DB2-Backup systemd[1]: Starting /etc/rc.d/rc.local Compatibility... Nov 14 12:11:17 DB2-Backup systemd[1]: Starting OpenSSH server daemon... Nov 14 12:11:17 DB2-Backup systemd[1]: Reached target Network is Online. Nov 14 12:11:17 DB2-Backup systemd[1]: Starting Shorewall IPv4 firewall... Nov 14 12:11:17 DB2-Backup systemd[1]: Starting Samba SMB Daemon... Nov 14 12:11:17 DB2-Backup ntpd[829]: Listen normally on 6 enp4s0 192.168.254.17:123 Nov 14 12:11:17 DB2-Backup ntpd[829]: new interface(s) found: waking up resolver Nov 14 12:11:17 DB2-Backup systemd[1]: Started Permit User Sessions. Nov 14 12:11:17 DB2-Backup systemd[1]: Started Command Scheduler. Nov 14 12:11:17 DB2-Backup crond[1532]: (CRON) STARTUP (1.5.4) Nov 14 12:11:17 DB2-Backup crond[1532]: (CRON) INFO (Syslog will be used instead of sendmail.) Nov 14 12:11:17 DB2-Backup crond[1532]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 50% if used.) Nov 14 12:11:17 DB2-Backup crond[1532]: (CRON) INFO (running with inotify support) Nov 14 12:11:17 DB2-Backup sshd[1528]: Server listening on 0.0.0.0 port 22. Nov 14 12:11:17 DB2-Backup sshd[1528]: Server listening on :: port 22. Nov 14 12:11:17 DB2-Backup systemd[1]: Started OpenSSH server daemon. Nov 14 12:11:17 DB2-Backup systemd[1]: Started /etc/rc.d/rc.local Compatibility. Nov 14 12:11:17 DB2-Backup systemd[1]: Starting Hold until boot process finishes up... Nov 14 12:11:17 DB2-Backup systemd[1]: Starting Terminate Plymouth Boot Screen... Nov 14 12:11:17 DB2-Backup shorewall[1529]: Starting Shorewall.... Nov 14 12:11:17 DB2-Backup systemd[1]: Received SIGRTMIN+21 from PID 325 (plymouthd). Nov 14 12:11:17 DB2-Backup systemd[1]: Received SIGRTMIN+21 from PID 325 (plymouthd). Nov 14 12:11:17 DB2-Backup systemd[1]: plymouth-quit-wait.service: Succeeded. Nov 14 12:11:17 DB2-Backup systemd[1]: Started Hold until boot process finishes up. Nov 14 12:11:17 DB2-Backup systemd[1]: plymouth-quit.service: Succeeded. Nov 14 12:11:17 DB2-Backup systemd[1]: Started Terminate Plymouth Boot Screen. Nov 14 12:11:17 DB2-Backup systemd[1]: Started Getty on tty1. Nov 14 12:11:17 DB2-Backup systemd[1]: Reached target Login Prompts. Nov 14 12:11:17 DB2-Backup shorewall[1529]: Initializing... Nov 14 12:11:17 DB2-Backup shorewall[1529]: Processing /etc/shorewall/init ... Nov 14 12:11:17 DB2-Backup shorewall[1529]: Processing /etc/shorewall/tcclear ... Nov 14 12:11:17 DB2-Backup shorewall[1529]: Setting up Route Filtering... Nov 14 12:11:17 DB2-Backup shorewall[1529]: Setting up Martian Logging... Nov 14 12:11:17 DB2-Backup shorewall[1529]: Setting up Proxy ARP... Nov 14 12:11:18 DB2-Backup shorewall[1529]: Preparing iptables-restore input... Nov 14 12:11:18 DB2-Backup shorewall[1529]: Running /sbin/iptables-restore --wait 60... Nov 14 12:11:18 DB2-Backup shorewall[1529]: Processing /etc/shorewall/start ... Nov 14 12:11:18 DB2-Backup kernel: netfilter PSD loaded - (c) astaro AG Nov 14 12:11:18 DB2-Backup kernel: IFWLOG: register target Nov 14 12:11:18 DB2-Backup shorewall[1529]: Processing /etc/shorewall/started ... Nov 14 12:11:18 DB2-Backup root[1679]: Shorewall started Nov 14 12:11:18 DB2-Backup shorewall[1529]: done. Nov 14 12:11:18 DB2-Backup systemd[1]: Started Shorewall IPv4 firewall. Nov 14 12:11:18 DB2-Backup systemd[1]: Starting Shorewall IPv6 firewall... Nov 14 12:11:18 DB2-Backup shorewall[1683]: Starting Shorewall6.... Nov 14 12:11:18 DB2-Backup shorewall[1683]: Initializing... Nov 14 12:11:18 DB2-Backup shorewall[1683]: Processing /etc/shorewall6/init ... Nov 14 12:11:18 DB2-Backup shorewall[1683]: Setting up Proxy NDP... Nov 14 12:11:18 DB2-Backup shorewall[1683]: Preparing ip6tables-restore input... Nov 14 12:11:18 DB2-Backup shorewall[1683]: Running /sbin/ip6tables-restore --wait 60... Nov 14 12:11:18 DB2-Backup shorewall[1683]: Processing /etc/shorewall6/start ... Nov 14 12:11:18 DB2-Backup shorewall[1683]: Processing /etc/shorewall6/started ... Nov 14 12:11:18 DB2-Backup root[1778]: Shorewall6 started Nov 14 12:11:18 DB2-Backup shorewall[1683]: done. Nov 14 12:11:18 DB2-Backup systemd[1]: Started Shorewall IPv6 firewall. Nov 14 12:11:19 DB2-Backup systemd[1]: Started Samba SMB Daemon. Nov 14 12:11:19 DB2-Backup systemd[1]: Reached target Multi-User System. Nov 14 12:11:19 DB2-Backup smbd[1531]: [2019/11/14 12:11:19.040811, 0] ../../lib/util/become_daemon.c:136(daemon_ready) Nov 14 12:11:19 DB2-Backup smbd[1531]: daemon_ready: daemon 'smbd' finished starting up and ready to serve connections Nov 14 12:11:19 DB2-Backup systemd[1]: Starting Update UTMP about System Runlevel Changes... Nov 14 12:11:19 DB2-Backup systemd[1]: systemd-update-utmp-runlevel.service: Succeeded. Nov 14 12:11:19 DB2-Backup systemd[1]: Started Update UTMP about System Runlevel Changes. Nov 14 12:11:19 DB2-Backup systemd[1]: Startup finished in 4.488s (kernel) + 24.189s (userspace) = 28.678s.

Here is the start section from /usr/libexec/iptables.init

Code: Select all: start() { # don't do squat if we don't have the config file if [ -f $IPTABLES_CONFIG ]; then # We do _not_ need to flush/clear anything when using iptables-restore echo $"Applying iptables firewall rules: " grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -w 5 -c && \ success $"Applying iptables firewall rules" || \ failure $"Applying iptables firewall rules" echo touch /var/lock/subsys/iptables fi }

If I flush rules, then run basically the same command shown in /usr/libexec/iptables.init, it installs all my rules. Specifically:

Code: Select all: # iptables -F # grep -v "^[[:space:]]*#" /etc/sysconfig/iptables | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -w 5 -c

Now I can see my rules with iptables -L INPUT and I can connect using ssh and samba. So the basic command given in /usr/libexec/iptables.init appears to work.

But the output in the boot log says

Preparing iptables-restore input...

then

Running /sbin/iptables-restore --wait 60...

which are different than the output from /usr/libexec/iptables.init.

So it looks to me like shorewall startup is doing something different than running iptables.init. And no other iptables-restore is shown in the boot log, so perhaps /usr/libexec/iptables.init is not getting run?

Phil

by **doktor5000** » Nov 15th, '19, 14:44

sln123 wrote:But the output in the boot log says
Preparing iptables-restore input...
then
Running /sbin/iptables-restore --wait 60...
which are different than the output from /usr/libexec/iptables.init.

That is because those are run by shorewall, which loads its own iptables configs, which are separate from the old/classic iptables-only one you're trying to load.

Apart from that, in your log I don't see iptables.service being started at all, this is also indicated by the missing log output from iptables.service.

by **sln123** » Nov 15th, '19, 21:16

doktor5000 wrote:
sln123 wrote:Apart from that, in your log I don't see iptables.service being started at all, this is also indicated by the missing log output from iptables.service.

So the question is then how do I get that to run?

I tried "systemctl start iptables.service" and it appears to reset to a simple accept all set of rules (i.e. it clears what I assume are the shorewall rules). Hoping that was a different behavior than might occur at boot, I even tried "systemctl enable iptables.service" then rebooted, but this loaded the shorewall rules without my new rules.

Or is there a way to configure the same settings as I would set using drakfirewall (i.e. save them to shorewall) without the gui?

Thanks

Phil

by **doktor5000** » Nov 16th, '19, 15:56

Well, either you use shorewall (which is basically only a frontend to iptables) or you use iptables directly.
If you only want to use your own iptables rules, then I'd suggest to disable all the shorewall services.
Although it's probably easier to integrate your few rules into the Mageia shorewall configuration instead of what you're trying to do.
But I don't use either so I can't really help with that.

Totally apart from that, yes drakfirewall has an ncurses mode and can also be run without an X server. Didn't you try that beforehand ?

by **sln123** » Nov 18th, '19, 21:28

Drakfirewall in ncurses worked and I was able to connect using ssh and samba after a reboot.

Someday I'd like to know the right way to deal directly with iptables, but this solves the problem for me, so I have marked this topic as SOLVED.

Thanks

Phil

Mageia forum

[SOLVED] Persistent iptables

[SOLVED] Persistent iptables

Re: Persistent iptables

Re: Persistent iptables

Re: Persistent iptables

Re: Persistent iptables

Re: Persistent iptables

Re: Persistent iptables

Re: Persistent iptables

Re: Persistent iptables

Re: Persistent iptables

Who is online