search

arno-iptables-firewall / aif

GNU General Public License v2.0
149 stars 24 forks source link

No iptables/ip6tables found at Debian 10 (2021/03/26) #83

Open davidmarquesneves opened 3 years ago

davidmarquesneves commented 3 years ago

In line 75 of "environment" usually at /usr/share/arno-iptables-firewall/ changes from

ipset) path="/usr/sbin/" ;;

to

ipset|iptables|ip6tables) path="/usr/sbin/" ;;

Check whether a certain command is available

check_command() { local cmd path IFS

IFS=' ' for cmd in $; do case "$cmd" in /) path="" ;; ip|tc|modprobe|sysctl) path="/sbin/" ;; sed|cat|date|uname) path="/bin/" ;; ipset|iptables|ip6tables) path="/usr/sbin/" ;; *) path="/usr/bin/" ;; esac

if [ -x "$path$cmd" ]; then
  return 0
fi

if [ -n "$(which "$cmd" 2>/dev/null)" ]; then
  return 0
fi

done

return 1 }

abelbeck commented 3 years ago

@davidmarquesneves : Adding |iptables|ip6tables to the case only adds "hints" ... as long as PATH contains /usr/sbin (which sudo should do) this sanity check should work without adding extra "hints".

The which command follows the PATH variable. What is your:

sudo echo "$PATH"
arnova commented 3 years ago

And what's the AIF version you're using? I have 2.1.1 running on several Debian 10 without any issues.

davidmarquesneves commented 3 years ago

And what's the AIF version you're using? I have 2.1.1 running on several Debian 10 without any issues.

arno-iptables-firewall, version 2.0.3-2, from Debian repos.

davidmarquesneves commented 3 years ago

echo "$PATH" /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

BUT... Not using sudo, just "sudo -" .

abelbeck commented 3 years ago

echo "$PATH" /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

The AIF code should work as-is then, which iptables should output /usr/sbin/iptables

davidmarquesneves commented 3 years ago

echo "$PATH" /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

The AIF code should work as-is then, which iptables should output /usr/sbin/iptables

Exactly. In root shell, which iptables output none.

I'm investigating some about iptables-legacy VS. iptables-nft

abelbeck commented 3 years ago

@davidmarquesneves : One data point, my custom Linux distro has:

ls -l /usr/sbin/iptables*

lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-restore -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-save -> xtables-legacy-multi

but we build iptables with --disable-nftables (Debian does not)

Possibly you don't have the /usr/sbin/iptables -> xtables-legacy-multi symlink ? Maybe there is a Debian option to choose between "legacy" and "nft" or set the appropriate symlinks ?

davidmarquesneves commented 3 years ago

@davidmarquesneves : One data point, my custom Linux distro has:

ls -l /usr/sbin/iptables*

lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-restore -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-save -> xtables-legacy-multi

but we build iptables with --disable-nftables (Debian does not)

Possibly you don't have the /usr/sbin/iptables -> xtables-legacy-multi symlink ? Maybe there is a Debian option to choose between "legacy" and "nft" or set the appropriate symlinks ?

Exactly.

After.... update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy update-alternatives --set iptables /usr/sbin/iptables-legacy

...AND A REBOOT is working fine again with the original environment file.

This specific server was installed using Debian 10.5 with iptables-nft (the default for buster) and works out of the box, but after some update the error discussed here appears (10.8 or 10.9, i can't answer..) stops working.

A clue: service arno-iptables-firewall status WORKS, but no other options.

Problem solved, but at this point if the code need to be changed I really cant decide