rebuild-iptables failing on debian

[pduersteler]

Cookbook version

Current master branch at 32bbecd

Chef-client version

Chef: 12.10.24

Platform Details

Developing on OS X, client runs Debian GNU/Linux 8.4 (jessie)

Scenario:

Rules are not applied to iptables. The rule files are put in /etc/iptables.d/, but are not being loaded due to an error thrown by rebuild-iptables.

Steps to Reproduce:

• Add `cookbook 'iptables', github: 'chef-cookbooks/iptables'`` to Berksfile
• Add depends 'iptables' to metadata.rb
• Add iptables_rule 'http_80' { lines '-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT' }
• Run kitchen converge
• See missing rules when executing iptables -L
• SSH into client and manually run rebuild-iptables to try
• See that rules are still missing when executing iptables -L

  Expected Result:

iptables -L should display rules, and manually running rebuild-iptables should not throw an error.

Actual Result:

When running rebuild-iptables, the following error message is displayed:

Bad argument `{IP6TABLES_MODULES'
Error occurred at line: 7
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
cp: cannot create regular file '/etc/sysconfig/iptables': No such file or directory

Also, there is no /etc/sysconfig on jessie.

[shubhamitc]

This is because you are using iptables attribute set and these attributes are added. Create another attribute set like default['iptables']['rules'] and iterate over that. That should solve this issue.

[lamont-granquist]

closing this as its over 6 months old now and seems to not be a bug

[hedgehog]

I've run into a similar issue. My recipe file has:

iptables_rule 'vpn_forward' do
  lines '-I FORWARD -j ACCEPT'
end

the file is created with correct content in /etc/iptables.d/vpn_forward

The error is about a -t option:

sudo rebuild-iptables
iptables-restore v1.6.0: The -t option (seen in line 7) cannot be used in iptables-restore.

Error occurred at line: 7
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
cp: cannot create regular file '/etc/sysconfig/iptables': No such file or directory

The issue and solution are addressed here:

http://stackoverflow.com/questions/35272615/the-t-option-cannot-be-used-in-iptables-restore

The solution in the context of this cookbook is to use a template such as

*nat
# Redirect VPN traffic
-A POSTROUTING -s <%= node['openvpn']['subnet'] %>/<%= node['openvpn']['netmask'] %> -o <%= node['network']['default_interface'] %> -j MASQUERADE

Hope this helps someone. A possible improvement/enhancement is for the line method to do some validity checks before writing the iptable snippet. However, down this path you're like to descend in to regexp hell....

[dpnsan]

This issue is also affecting me. The cause is that Ubuntu does not use /etc/sysconfig, and my tests fail in Ubuntu 14.04 for this reason. The correct location would be /etc/network. The previous iteration of this script created an /etc/iptables directory for this purpose, which would also work.

[hedgehog]

@lamont-granquist is this worth re-opening?

[lamont-granquist]

I don't see how @dpnsan's comment relates to the other error messages here or how it relates to the refactoring of the iptables cookbook in https://github.com/chef-cookbooks/iptables/commit/d8b00099b143702ac2c9534cfb95acca609444c7 which seems to still leave the /etc/iptables/general file in place, so i can't see how that broke anything.

At this point it would be better to open a PR to show me rather than tell me, because IDK what to fix here.

[congaframe]

I'm having the same issue on Debian 7 ( Test Kitchen). I tried the recommended rule on README:

iptables_rule 'http_8080' do
  lines '-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080'
end

then manually run this command to load it : /sbin/iptables-restore < /etc/iptables/general which failed on line 7 ( COMMIT) It seems the file /etc/iptables/general is written in incorrect format. I used template and it works fine.