search

arno-iptables-firewall / aif

GNU General Public License v2.0
151 stars 24 forks source link

"interfaces not started (yet?)" not true #5

Closed arjhun closed 10 years ago

arjhun commented 10 years ago

I started getting an error when starting my firewall.

Arno's Iptables Firewall Script v2.0.0c
-------------------------------------------------------------------------------
Platform: Linux 3.8.0-32-generic i686
WARNING: External interface eth0 does NOT exist (yet?)
WARNING: External interface tun0 does NOT exist (yet?)

My interfaces are are up and running.

When I isolate the check_interfaces and run a simple test it returns 1 not 0.

When I check

sudo bash -x /usr/sbin/arno-iptables-firewall restart 2>&1 |grep check_interface

it shows

+ check_interface eth0
+ check_interface tun0

here is my full verbose output of a restart:

Arno's Iptables Firewall Script v2.0.0c
-------------------------------------------------------------------------------
Platform: Linux 3.8.0-32-generic i686
WARNING: External interface tun0 does NOT exist (yet?)
Stopping (user) plugins...
 SSH Brute-Force Protection plugin v1.1a
Checking/probing Iptables modules:
 Loaded kernel module ip_tables. 
 Loaded kernel module nf_conntrack. 
 Loaded kernel module nf_conntrack_ftp. 
 Loaded kernel module xt_conntrack. 
 Loaded kernel module xt_limit. 
 Loaded kernel module xt_state. 
 Loaded kernel module xt_multiport. 
 Loaded kernel module iptable_filter. 
 Loaded kernel module iptable_mangle. 
 Loaded kernel module ipt_REJECT. 
 Loaded kernel module ipt_LOG. 
 Loaded kernel module xt_TCPMSS. 
 Loaded kernel module xt_DSCP. 
 Loaded kernel module iptable_nat. 
 Module check done...
Setting the kernel ring buffer to only log panic messages to the console
Configuring general kernel parameters:
 Setting the max. amount of simultaneous connections to 16384
Configuring kernel parameters:
 Disabling send redirects
 Enabling protection against source routed packets
 Enabling packet forwarding
 Setting some kernel performance options
 Enabling reduction of the DoS'ing ability
 Enabling anti-spoof with rp_filter
 Enabling SYN-flood protection via SYN-cookies
 Disabling the logging of martians
 Disabling the acception of ICMP-redirect messages
 Setting default TTL=64
 Disabling ECN (Explicit Congestion Notification)
 Enabling kernel support for dynamic IPs
 Enabling PMTU discovery
 Flushing route table
 Kernel setup done...
Initializing firewall chains
 Setting all default policies to DROP while "setting up firewall rules"
IPv4 mode selected but IPv6 available, DROP all IPv6 packets
Using loglevel "info" for syslogd

Setting up firewall rules:
-------------------------------------------------------------------------------
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
 SSH Brute-Force Protection plugin v1.1a
  Loaded kernel module xt_recent. 
  Allowing bypass of SSH protection checks for: malevich
  Protecting TCP port(s): 22
 Loaded 1 plugin(s)...
Setting up external(INET) INPUT policy
 Logging of ICMP flooding enabled
 Enabling support for DHCP-assigned-IP (DHCP client)
 Logging of explicitly blocked hosts enabled
 Logging of denied local output connections enabled
 Packets will NOT be checked for private source addresses
 Allowing ANYHOST for TCP port(s): 80
 Allowing ANYHOST for TCP port(s): 21
 Allowing ANYHOST for TCP port(s): 22
 Allowing ANYHOST for TCP port(s): 1194
 Allowing ANYHOST for TCP port(s): 8112
 Allowing ANYHOST for TCP port(s): 4040
 Allowing ANYHOST for TCP port(s): 10000
 Allowing ANYHOST for TCP port(s): 53
 Allowing ANYHOST for TCP port(s): 137
 Allowing ANYHOST for TCP port(s): 138
 Allowing ANYHOST for TCP port(s): 139
 Allowing ANYHOST for TCP port(s): 443
 Allowing ANYHOST for TCP port(s): 445
 Allowing ANYHOST for TCP port(s): 631
 Allowing ANYHOST for TCP port(s): 58846
 Allowing ANYHOST for TCP port(s): 873
 Allowing ANYHOST for TCP port(s): 17500
 Allowing ANYHOST for TCP port(s): 6566
 Allowing ANYHOST for TCP port(s): 50000:50200
 Allowing ANYHOST for TCP port(s): 8094
 Allowing ANYHOST for TCP port(s): 4444
 Allowing ANYHOST for TCP port(s): 23423
 Allowing ANYHOST for TCP port(s): 8895
 Allowing ANYHOST for TCP port(s): 8228
 Allowing ANYHOST for UDP port(s): 80
 Allowing ANYHOST for UDP port(s): 21
 Allowing ANYHOST for UDP port(s): 22
 Allowing ANYHOST for UDP port(s): 1194
 Allowing ANYHOST for UDP port(s): 8112
 Allowing ANYHOST for UDP port(s): 4040
 Allowing ANYHOST for UDP port(s): 10000
 Allowing ANYHOST for UDP port(s): 53
 Allowing ANYHOST for UDP port(s): 137
 Allowing ANYHOST for UDP port(s): 138
 Allowing ANYHOST for UDP port(s): 139
 Allowing ANYHOST for UDP port(s): 443
 Allowing ANYHOST for UDP port(s): 445
 Allowing ANYHOST for UDP port(s): 631
 Allowing ANYHOST for UDP port(s): 58846
 Allowing ANYHOST for UDP port(s): 873
 Allowing ANYHOST for UDP port(s): 17500
 Allowing ANYHOST for UDP port(s): 6566
 Allowing ANYHOST for UDP port(s): 50000:50200
 Allowing ANYHOST for UDP port(s): 8094
 Allowing ANYHOST for UDP port(s): 4444
 Allowing ANYHOST for UDP port(s): 1900
 Allowing ANYHOST for UDP port(s): 8228
 Allowing ANYHOST to send IPv4 ICMP-requests (ping)
 Logging of possible stealth scans enabled
 Logging of (other) packets to PRIVILEGED TCP ports enabled
 Logging of (other) packets to PRIVILEGED UDP ports enabled
 Logging of (other) packets to UNPRIVILEGED TCP ports enabled
 Logging of (other) packets to UNPRIVILEGED UDP ports enabled
 Logging of IGMP packets enabled
 Logging of dropped ICMP-request(ping) packets enabled
 Logging of dropped other ICMP packets enabled
 Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled
Setting up external(INET) OUTPUT policy
Applying external(INET) policy to interface: eth0 (without an external subnet specified)
Applying external(INET) policy to interface: tun0 (without an external subnet specified)
Security is LOOSENED for external interface(s) in the FORWARD chain!
 Logging of dropped FORWARD packets enabled

Dec 01 15:03:04 All firewall rules applied.
arnova commented 10 years ago

Did you try running it manually from the commandline as well? And mind posting the output of 'ifconfig' ?

a.

On 01-Dec-13 15:04, arjhun wrote:

I started getting an error when starting my firewall.

Arno's Iptables Firewall Script v2.0.0c

Platform: Linux 3.8.0-32-generic i686 WARNING: External interface eth0 does NOT exist (yet?) WARNING: External interface tun0 does NOT exist (yet?)

My interfaces are are up and running.

When I isolate the check_interfaces and run a simple test it returns 1 not 0.

When I check

sudo bash -x /usr/sbin/arno-iptables-firewall restart 2>&1 grep check_interface

it shows

|+ check_interface eth0

  • check_interface tun0 |

here is my full verbose output of a restart:

[40m[1;32mArno's Iptables Firewall Script v2.0.0c[0m

Platform: Linux 3.8.0-32-generic i686 [40m[1;31mWARNING: External interface tun0 does NOT exist (yet?)[0m Stopping (user) plugins... SSH Brute-Force Protection plugin v1.1a Checking/probing Iptables modules: Loaded kernel module ip_tables. Loaded kernel module nf_conntrack. Loaded kernel module nf_conntrack_ftp. Loaded kernel module xt_conntrack. Loaded kernel module xt_limit. Loaded kernel module xt_state. Loaded kernel module xt_multiport. Loaded kernel module iptable_filter. Loaded kernel module iptable_mangle. Loaded kernel module ipt_REJECT. Loaded kernel module ipt_LOG. Loaded kernel module xt_TCPMSS. Loaded kernel module xt_DSCP. Loaded kernel module iptable_nat. Module check done... Setting the kernel ring buffer to only log panic messages to the console Configuring general kernel parameters: Setting the max. amount of simultaneous connections to 16384 Configuring kernel parameters: Disabling send redirects Enabling protection against source routed packets Enabling packet forwarding Setting some kernel performance options Enabling reduction of the DoS'ing ability Enabling anti-spoof with rp_filter Enabling SYN-flood protection via SYN-cookies Disabling the logging of martians Disabling the acception of ICMP-redirect messages Setting default TTL=64 Disabling ECN (Explicit Congestion Notification) Enabling kernel support for dynamic IPs Enabling PMTU discovery Flushing route table Kernel setup done... Initializing firewall chains Setting all default policies to DROP while "setting up firewall rules" IPv4 mode selected but IPv6 available, DROP all IPv6 packets Using loglevel "info" for syslogd

Setting up firewall rules:

Enabling setting the maximum packet size via MSS Enabling mangling TOS Logging of stealth scans (nmap probes etc.) enabled Logging of packets with bad TCP-flags enabled Logging of INVALID TCP packets disabled Logging of INVALID UDP packets disabled Logging of INVALID ICMP packets disabled Logging of fragmented packets enabled Logging of access from reserved addresses enabled Reading custom rules from /etc/arno-iptables-firewall/custom-rules Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins... SSH Brute-Force Protection plugin v1.1a Loaded kernel module xt_recent. Allowing bypass of SSH protection checks for: malevich Protecting TCP port(s): 22 Loaded 1 plugin(s)... Setting up external(INET) INPUT policy Logging of ICMP flooding enabled Enabling support for DHCP-assigned-IP (DHCP client) Logging of explicitly blocked hosts enabled Logging of denied local output connections enabled Packets will NOT be checked for private source addresses Allowing ANYHOST for TCP port(s): 80 Allowing ANYHOST for TCP port(s): 21 Allowing ANYHOST for TCP port(s): 22 Allowing ANYHOST for TCP port(s): 1194 Allowing ANYHOST for TCP port(s): 8112 Allowing ANYHOST for TCP port(s): 4040 Allowing ANYHOST for TCP port(s): 10000 Allowing ANYHOST for TCP port(s): 53 Allowing ANYHOST for TCP port(s): 137 Allowing ANYHOST for TCP port(s): 138 Allowing ANYHOST for TCP port(s): 139 Allowing ANYHOST for TCP port(s): 443 Allowing ANYHOST for TCP port(s): 445 Allowing ANYHOST for TCP port(s): 631 Allowing ANYHOST for TCP port(s): 58846 Allowing ANYHOST for TCP port(s): 873 Allowing ANYHOST for TCP port(s): 17500 Allowing ANYHOST for TCP port(s): 6566 Allowing ANYHOST for TCP port(s): 50000:50200 Allowing ANYHOST for TCP port(s): 8094 Allowing ANYHOST for TCP port(s): 4444 Allowing ANYHOST for TCP port(s): 23423 Allowing ANYHOST for TCP port(s): 8895 Allowing ANYHOST for TCP port(s): 8228 Allowing ANYHOST for UDP port(s): 80 Allowing ANYHOST for UDP port(s): 21 Allowing ANYHOST for UDP port(s): 22 Allowing ANYHOST for UDP port(s): 1194 Allowing ANYHOST for UDP port(s): 8112 Allowing ANYHOST for UDP port(s): 4040 Allowing ANYHOST for UDP port(s): 10000 Allowing ANYHOST for UDP port(s): 53 Allowing ANYHOST for UDP port(s): 137 Allowing ANYHOST for UDP port(s): 138 Allowing ANYHOST for UDP port(s): 139 Allowing ANYHOST for UDP port(s): 443 Allowing ANYHOST for UDP port(s): 445 Allowing ANYHOST for UDP port(s): 631 Allowing ANYHOST for UDP port(s): 58846 Allowing ANYHOST for UDP port(s): 873 Allowing ANYHOST for UDP port(s): 17500 Allowing ANYHOST for UDP port(s): 6566 Allowing ANYHOST for UDP port(s): 50000:50200 Allowing ANYHOST for UDP port(s): 8094 Allowing ANYHOST for UDP port(s): 4444 Allowing ANYHOST for UDP port(s): 1900 Allowing ANYHOST for UDP port(s): 8228 Allowing ANYHOST to send IPv4 ICMP-requests (ping) Logging of possible stealth scans enabled Logging of (other) packets to PRIVILEGED TCP ports enabled Logging of (other) packets to PRIVILEGED UDP ports enabled Logging of (other) packets to UNPRIVILEGED TCP ports enabled Logging of (other) packets to UNPRIVILEGED UDP ports enabled Logging of IGMP packets enabled Logging of dropped ICMP-request(ping) packets enabled Logging of dropped other ICMP packets enabled Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled Setting up external(INET) OUTPUT policy Applying external(INET) policy to interface: eth0 (without an external subnet specified) Applying external(INET) policy to interface: tun0 (without an external subnet specified) Security is LOOSENED for external interface(s) in the FORWARD chain! Logging of dropped FORWARD packets enabled

Dec 01 15:03:04 [40m[1;32mAll firewall rules applied.[0m

— Reply to this email directly or view it on GitHub https://github.com/arno-iptables-firewall/aif/issues/5.

Arno van Amersfoort E-mail : arnova@rocky.eld.leidenuniv.nl

Donations are welcome through Paypal!

Arno's (Linux IPTABLES Firewall) Homepage: http://rocky.eld.leidenuniv.nl

arnova commented 10 years ago

Oh and please provide the output of "ip -o link show" as well.

a.

On 01-Dec-13 15:04, arjhun wrote:

I started getting an error when starting my firewall.

Arno's Iptables Firewall Script v2.0.0c

Platform: Linux 3.8.0-32-generic i686 WARNING: External interface eth0 does NOT exist (yet?) WARNING: External interface tun0 does NOT exist (yet?)

My interfaces are are up and running.

When I isolate the check_interfaces and run a simple test it returns 1 not 0.

When I check

sudo bash -x /usr/sbin/arno-iptables-firewall restart 2>&1 grep check_interface

it shows

|+ check_interface eth0

  • check_interface tun0 |

here is my full verbose output of a restart:

[40m[1;32mArno's Iptables Firewall Script v2.0.0c[0m

Platform: Linux 3.8.0-32-generic i686 [40m[1;31mWARNING: External interface tun0 does NOT exist (yet?)[0m Stopping (user) plugins... SSH Brute-Force Protection plugin v1.1a Checking/probing Iptables modules: Loaded kernel module ip_tables. Loaded kernel module nf_conntrack. Loaded kernel module nf_conntrack_ftp. Loaded kernel module xt_conntrack. Loaded kernel module xt_limit. Loaded kernel module xt_state. Loaded kernel module xt_multiport. Loaded kernel module iptable_filter. Loaded kernel module iptable_mangle. Loaded kernel module ipt_REJECT. Loaded kernel module ipt_LOG. Loaded kernel module xt_TCPMSS. Loaded kernel module xt_DSCP. Loaded kernel module iptable_nat. Module check done... Setting the kernel ring buffer to only log panic messages to the console Configuring general kernel parameters: Setting the max. amount of simultaneous connections to 16384 Configuring kernel parameters: Disabling send redirects Enabling protection against source routed packets Enabling packet forwarding Setting some kernel performance options Enabling reduction of the DoS'ing ability Enabling anti-spoof with rp_filter Enabling SYN-flood protection via SYN-cookies Disabling the logging of martians Disabling the acception of ICMP-redirect messages Setting default TTL=64 Disabling ECN (Explicit Congestion Notification) Enabling kernel support for dynamic IPs Enabling PMTU discovery Flushing route table Kernel setup done... Initializing firewall chains Setting all default policies to DROP while "setting up firewall rules" IPv4 mode selected but IPv6 available, DROP all IPv6 packets Using loglevel "info" for syslogd

Setting up firewall rules:

Enabling setting the maximum packet size via MSS Enabling mangling TOS Logging of stealth scans (nmap probes etc.) enabled Logging of packets with bad TCP-flags enabled Logging of INVALID TCP packets disabled Logging of INVALID UDP packets disabled Logging of INVALID ICMP packets disabled Logging of fragmented packets enabled Logging of access from reserved addresses enabled Reading custom rules from /etc/arno-iptables-firewall/custom-rules Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins... SSH Brute-Force Protection plugin v1.1a Loaded kernel module xt_recent. Allowing bypass of SSH protection checks for: malevich Protecting TCP port(s): 22 Loaded 1 plugin(s)... Setting up external(INET) INPUT policy Logging of ICMP flooding enabled Enabling support for DHCP-assigned-IP (DHCP client) Logging of explicitly blocked hosts enabled Logging of denied local output connections enabled Packets will NOT be checked for private source addresses Allowing ANYHOST for TCP port(s): 80 Allowing ANYHOST for TCP port(s): 21 Allowing ANYHOST for TCP port(s): 22 Allowing ANYHOST for TCP port(s): 1194 Allowing ANYHOST for TCP port(s): 8112 Allowing ANYHOST for TCP port(s): 4040 Allowing ANYHOST for TCP port(s): 10000 Allowing ANYHOST for TCP port(s): 53 Allowing ANYHOST for TCP port(s): 137 Allowing ANYHOST for TCP port(s): 138 Allowing ANYHOST for TCP port(s): 139 Allowing ANYHOST for TCP port(s): 443 Allowing ANYHOST for TCP port(s): 445 Allowing ANYHOST for TCP port(s): 631 Allowing ANYHOST for TCP port(s): 58846 Allowing ANYHOST for TCP port(s): 873 Allowing ANYHOST for TCP port(s): 17500 Allowing ANYHOST for TCP port(s): 6566 Allowing ANYHOST for TCP port(s): 50000:50200 Allowing ANYHOST for TCP port(s): 8094 Allowing ANYHOST for TCP port(s): 4444 Allowing ANYHOST for TCP port(s): 23423 Allowing ANYHOST for TCP port(s): 8895 Allowing ANYHOST for TCP port(s): 8228 Allowing ANYHOST for UDP port(s): 80 Allowing ANYHOST for UDP port(s): 21 Allowing ANYHOST for UDP port(s): 22 Allowing ANYHOST for UDP port(s): 1194 Allowing ANYHOST for UDP port(s): 8112 Allowing ANYHOST for UDP port(s): 4040 Allowing ANYHOST for UDP port(s): 10000 Allowing ANYHOST for UDP port(s): 53 Allowing ANYHOST for UDP port(s): 137 Allowing ANYHOST for UDP port(s): 138 Allowing ANYHOST for UDP port(s): 139 Allowing ANYHOST for UDP port(s): 443 Allowing ANYHOST for UDP port(s): 445 Allowing ANYHOST for UDP port(s): 631 Allowing ANYHOST for UDP port(s): 58846 Allowing ANYHOST for UDP port(s): 873 Allowing ANYHOST for UDP port(s): 17500 Allowing ANYHOST for UDP port(s): 6566 Allowing ANYHOST for UDP port(s): 50000:50200 Allowing ANYHOST for UDP port(s): 8094 Allowing ANYHOST for UDP port(s): 4444 Allowing ANYHOST for UDP port(s): 1900 Allowing ANYHOST for UDP port(s): 8228 Allowing ANYHOST to send IPv4 ICMP-requests (ping) Logging of possible stealth scans enabled Logging of (other) packets to PRIVILEGED TCP ports enabled Logging of (other) packets to PRIVILEGED UDP ports enabled Logging of (other) packets to UNPRIVILEGED TCP ports enabled Logging of (other) packets to UNPRIVILEGED UDP ports enabled Logging of IGMP packets enabled Logging of dropped ICMP-request(ping) packets enabled Logging of dropped other ICMP packets enabled Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled Setting up external(INET) OUTPUT policy Applying external(INET) policy to interface: eth0 (without an external subnet specified) Applying external(INET) policy to interface: tun0 (without an external subnet specified) Security is LOOSENED for external interface(s) in the FORWARD chain! Logging of dropped FORWARD packets enabled

Dec 01 15:03:04 [40m[1;32mAll firewall rules applied.[0m

— Reply to this email directly or view it on GitHub https://github.com/arno-iptables-firewall/aif/issues/5.

Arno van Amersfoort E-mail : arnova@rocky.eld.leidenuniv.nl

Donations are welcome through Paypal!

Arno's (Linux IPTABLES Firewall) Homepage: http://rocky.eld.leidenuniv.nl

arjhun commented 10 years ago

Hi Arno,

I added ifconfig to the 'check_interface' function in 'eviroment'.

arjen@giver:~$ sudo arno-iptables-firewall start
Arno's Iptables Firewall Script v2.0.0c
-------------------------------------------------------------------------------
Platform: Linux 3.8.0-32-generic i686
eth0      Link encap:Ethernet  HWaddr 1c:6f:65:b7:fb:6e
          inet addr:192.168.1.109  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::1e6f:65ff:feb7:fb6e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:69541107 errors:0 dropped:226 overruns:0 frame:0
          TX packets:91859856 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:54367631337 (54.3 GB)  TX bytes:98703534341 (98.7 GB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:673687 errors:0 dropped:0 overruns:0 frame:0
          TX packets:673687 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:788507850 (788.5 MB)  TX bytes:788507850 (788.5 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:230253 errors:0 dropped:0 overruns:0 frame:0
          TX packets:423596 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:14072643 (14.0 MB)  TX bytes:497868696 (497.8 MB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.23.0.18  P-t-P:172.23.0.17  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26544 errors:0 dropped:155 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:3803462 (3.8 MB)

WARNING: External interface eth0 does NOT exist (yet?)
eth0      Link encap:Ethernet  HWaddr 1c:6f:65:b7:fb:6e
          inet addr:192.168.1.109  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::1e6f:65ff:feb7:fb6e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:69541109 errors:0 dropped:226 overruns:0 frame:0
          TX packets:91859860 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:54367631538 (54.3 GB)  TX bytes:98703537907 (98.7 GB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:673687 errors:0 dropped:0 overruns:0 frame:0
          TX packets:673687 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:788507850 (788.5 MB)  TX bytes:788507850 (788.5 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:230254 errors:0 dropped:0 overruns:0 frame:0
          TX packets:423607 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:14072683 (14.0 MB)  TX bytes:497872440 (497.8 MB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.23.0.18  P-t-P:172.23.0.17  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26544 errors:0 dropped:155 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:3803462 (3.8 MB)

WARNING: External interface tun0 does NOT exist (yet?)
Checking/probing Iptables modules:
 Loaded kernel module ip_tables.

...


Dec 01 22:17:28 All firewall rules applied.

And here is the output of ip -o link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN \    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000\    link/ether 1c:6f:65:b7:fb:6e brd ff:ff:ff:ff:ff:ff
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100\    link/none
4: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100\    link/none

I'm at a loss here. I don't even know if this message will effect code execution down the line, thanks in advance....

Arjen Klaverstijn

abelbeck commented 10 years ago

The WARNING: is only that, but clearly something is not correct...

For completeness, what is the output of:

ip -o link show | cut -d':' -f2

We previously have seen situations like this where a bug in coreutils (seq) caused an issue.

Lonnie

arjhun commented 10 years ago

Oke so I thought I'd found the problem. The result of the cut command (but also awk -F '[:]' '{print $2}' ) resulted into lines with a leading whitespace:

 lo
 eth0
 tun0
 tun1

so I first piped the ip -o command through tr -d ' ' that seemingly resulted in clean lines, changed it in code, but to no avail :-(

abelbeck commented 10 years ago

That output looks fine, the leading space is expected. What is your default shell ?

ls -l /bin/sh

-and try-

interface="tun0" ; echo "${interface%@*}" (should be: tun0)

arjhun commented 10 years ago

it returned tun0

$ ls -l /bin/sh 

/bin/sh -> dash

output of that function, obviously local_interfaces are empty, the problem must be within the trace or ip wrapper functions

+ echo 'Dec 02 19:23:16 ** Restarting Arno'\''s Iptables Firewall v2.0.0c **'
+ echo '** Restarting Arno'\''s Iptables Firewall v2.0.0c **'
+ logger -t firewall -p kern.info
+ start_restart
++ uname -s -r -m
+ echo 'Platform: Linux 3.8.0-32-generic i686'
+ config_check
+ '[' -z 'eth0 tun0' ']'
+ IFS=' ,'
+ for interface in '$EXT_IF'
+ check_interface eth0
+ local interface 'IFS= '
++ ip -o link show
++ trace /sbin/ip -o link show
++ '[' -n /tmp/aif-trace.20131202-19:23:16 ']'
++ cut -d: -f2
++ sed 's/^: //'
+ local interfaces=
+ unset IFS
+ return 1
+ printf '\033[40m\033[1;31mWARNING: External interface eth0 does NOT exist (yet?)\033[0m\n'
WARNING: External interface eth0 does NOT exist (yet?)
+ for interface in '$EXT_IF'
+ check_interface tun0
+ local interface 'IFS= '
++ ip -o link show
++ tr -d ' '
++ '[' -n /tmp/aif-trace.20131202-19:23:16 ']'
++ cut -d: -f2
++ sed 's/^: //'
+ local interfaces=
+ unset IFS
+ return 1
+ printf '\033[40m\033[1;31mWARNING: External interface tun0 does NOT exist (yet?)\033[0m\n'
WARNING: External interface tun0 does NOT exist (yet?)
+ IFS=' ,'
+ IFS=' ,'
+ IFS=' ,'
+ IFS=' ,'
+ for eif in '$EXT_IF'
+ for eif in '$EXT_IF'
+ IFS=' ,'
+ for eif in '$EXT_IF'
+ '[' eth0 = lo -o eth0 = 127.0.0.1 ']'
+ for eif in '$EXT_IF'
+ '[' tun0 = lo -o tun0 = 127.0.0.1 ']'
+ IFS=' ,'
abelbeck commented 10 years ago

If you edit "/usr/sbin/arno-iptables-firewall" 1st line

Does the problem go away ?

Lonnie

arjhun commented 10 years ago

Sorry lonnie, it doesn't work. I allready tried that. I'll fiddle some more this week let you know if I can find the issue. I just know that it's because of something that I misconfigured, but maybe we can learn something from the warnings I get. Thanks for the the help guys so far!!!

arjhun commented 10 years ago

Btw, AIF, is just the best. My dad started using it when we got ISDN, I think he even contributed some code back then. :smile:

abelbeck commented 10 years ago

Also, double check your check_interface() function in the /usr/share/arno-iptables-firewall/environment script, it should look like this:

# Check existance of an interface
check_interface()
{
  local interface IFS=' '

  local interfaces="$(ip -o link show | cut -d':' -f2)"
  unset IFS
  for interface in $interfaces; do
    case "$1" in
      # Wildcard interface?
      *+) if [ "${1%+}" = "${interface%%[0-9]*}" ]; then
            return 0
          fi
          ;;
       *) if [ "${1}" = "${interface%@*}" ]; then
            return 0
          fi
          ;;
    esac
  done
  # Interface not found
  return 1
}

Possibly if bash works, your dash might prefer

  local interfaces
  interfaces="$(ip -o link show | cut -d':' -f2)"

Lonnie

abelbeck commented 10 years ago

Hi Arjen,

I was able to reproduce your problem, it only occurs when you set TRACE=1

So there are 3 possibly fixes:

1) Set in your firewall.conf

TRACE=0

2) change in environment

@@ -1506,7 +1506,7 @@
 {
   local interface IFS=' '

-  local interfaces="$(ip -o link show | cut -d':' -f2)"
+  local interfaces="$($IP -o link show | cut -d':' -f2)"

   unset IFS
   for interface in $interfaces; do

3) change in environment

@@ -653,7 +653,7 @@
 ###################
 ip()
 {
-  trace $IP "$@"
+  $IP "$@"
 }

Personally I have never found the TRACE "feature" useful, and if Arno decided to remove it I would not complain. :-)

There is another place that $IP is used instead of ip to work around this trace problem.

Then again, this problem only occurs if TRACE=1

Lonnie

arjhun commented 10 years ago

Hey great! It does work now. Well I think most people don't touch the trace option anyways like I did (mysteriously). Otherwise there would have been problems with it in the past. Anyways, thanks for all the help. A firewall without warnings just makes me feel a lot better, even though everything a firewall should do worked fine.

arnova commented 10 years ago

I haven't used it either to be honest, I don't really care if it stays or leaves as long as it doesn't break anything (like it does now).

@lonnie: Why does the trace() function cause this problem? Is it the sed parsing inside trace() ? If you want to rip out trace() go ahead btw. :)

-arno

On 02/12/13 21:56, arjhun wrote:

Hey great! It does work now. Well I think most people don't touch the trace option anyways like I did (mysteriously). Otherwise there would have been problems with it in the past. Anyways, thanks for all the help. A firewall without warnings just makes me feel a lot better, even though everything a firewall should do worked fine.

— Reply to this email directly or view it on GitHub https://github.com/arno-iptables-firewall/aif/issues/5#issuecomment-29656617.

arnova commented 10 years ago

This has been fixed in master... closing.