Open davidmarquesneves opened 3 years ago
@davidmarquesneves : Adding |iptables|ip6tables
to the case
only adds "hints" ... as long as PATH
contains /usr/sbin
(which sudo
should do) this sanity check should work without adding extra "hints".
The which
command follows the PATH
variable. What is your:
sudo echo "$PATH"
And what's the AIF version you're using? I have 2.1.1 running on several Debian 10 without any issues.
And what's the AIF version you're using? I have 2.1.1 running on several Debian 10 without any issues.
arno-iptables-firewall, version 2.0.3-2, from Debian repos.
echo "$PATH" /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
BUT... Not using sudo, just "sudo -" .
echo "$PATH" /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
The AIF code should work as-is then, which iptables
should output /usr/sbin/iptables
echo "$PATH" /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
The AIF code should work as-is then,
which iptables
should output/usr/sbin/iptables
Exactly.
In root shell, which iptables
output none.
I'm investigating some about iptables-legacy VS. iptables-nft
@davidmarquesneves : One data point, my custom Linux distro has:
ls -l /usr/sbin/iptables*
lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables -> xtables-legacy-multi
lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables-restore -> xtables-legacy-multi
lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables-save -> xtables-legacy-multi
but we build iptables
with --disable-nftables
(Debian does not)
Possibly you don't have the /usr/sbin/iptables -> xtables-legacy-multi
symlink ? Maybe there is a Debian option to choose between "legacy" and "nft" or set the appropriate symlinks ?
@davidmarquesneves : One data point, my custom Linux distro has:
ls -l /usr/sbin/iptables*
lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables -> xtables-legacy-multi lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables-legacy -> xtables-legacy-multi lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables-legacy-restore -> xtables-legacy-multi lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables-legacy-save -> xtables-legacy-multi lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables-restore -> xtables-legacy-multi lrwxrwxrwx 1 root root 20 Mar 26 15:21 /usr/sbin/iptables-save -> xtables-legacy-multi
but we build
iptables
with--disable-nftables
(Debian does not)Possibly you don't have the
/usr/sbin/iptables -> xtables-legacy-multi
symlink ? Maybe there is a Debian option to choose between "legacy" and "nft" or set the appropriate symlinks ?
Exactly.
After.... update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy update-alternatives --set iptables /usr/sbin/iptables-legacy
...AND A REBOOT is working fine again with the original environment file.
This specific server was installed using Debian 10.5 with iptables-nft (the default for buster) and works out of the box, but after some update the error discussed here appears (10.8 or 10.9, i can't answer..) stops working.
A clue: service arno-iptables-firewall status WORKS, but no other options.
Problem solved, but at this point if the code need to be changed I really cant decide
In line 75 of "environment" usually at /usr/share/arno-iptables-firewall/ changes from
ipset) path="/usr/sbin/" ;;
to
ipset|iptables|ip6tables) path="/usr/sbin/" ;;
Check whether a certain command is available
check_command() { local cmd path IFS
IFS=' ' for cmd in $; do case "$cmd" in /) path="" ;; ip|tc|modprobe|sysctl) path="/sbin/" ;; sed|cat|date|uname) path="/bin/" ;; ipset|iptables|ip6tables) path="/usr/sbin/" ;; *) path="/usr/bin/" ;; esac
done
return 1 }