search

chr4-cookbooks / iptables-ng

Cookbook to maintain iptables rules and policies on different platforms, respecting the way the os handles these settings.
GNU General Public License v3.0
38 stars 33 forks source link

iptables-persistent restart always seems to fail #29

Closed tpitale closed 10 years ago

tpitale commented 10 years ago

This is the log from my chef deploy: https://gist.github.com/tpitale/6486b47018ae2e07930c This happens on every chef run.

I'm not sure if it's due to one of my rules, or something else with chef (chef-solo on Ubuntu 14.04 LTS).

I'll start by disabling all my rules and adding them one at a time. Any other information you might have would be helpful, thanks!

tpitale commented 10 years ago

Odd, /etc/iptables/rules.v4 has all my rules in it, but iptables -L -v does not.

root@wineistasty:~# cat /etc/iptables/rules.v4
*filter
:INPUT # ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
--append INPUT -i lo -j ACCEPT
--append INPUT -i lo -d 127.0.0.0/8 -j REJECT
--append INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
--append INPUT -p tcp --dport 80 -j ACCEPT
--append INPUT -p tcp --dport 3001 -j ACCEPT
--append INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
--append INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
--append INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
--append FORWARD -j REJECT
COMMIT
tpitale commented 10 years ago

If I run /etc/init.d/iptables-persistent restart myself, it restarts, but nothing is loaded.

All of my rules are in /etc/iptables.d/filter/INPUT/ … and are numbered in the order I want them to be in.

chr4 commented 10 years ago

There's most likely something wrong with your ruleset. You can probably get a more verbose output with the following commands:

iptables-restore < /etc/iptables/rules.v4
ip6tables-restore < /etc/iptables/rules.v6

A guess would be that you used -d 127.0.0.0/8, but not limit the rule to ipv4 with ip_version 4 when calling the LWRP?

tpitale commented 10 years ago

Ohhhh, very probably. Let me try that.

tpitale commented 10 years ago

I changed my rule to add the version like so:

iptables_ng_rule '01-loopback-v4' do
  rule ['-i lo -j ACCEPT', '-i lo -d 127.0.0.0/8 -j REJECT']
  ip_version 4
  action :create_if_missing
end

And it still failed, I don't appear to have anything in my rules other than that which uses 127.0.0.0/8.

tpitale commented 10 years ago

ip6tables-restore erros with:

ip6tables-restore v1.4.21: Couldn't load match `icmp':No such file or directory

Error occurred at line: 9 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

tpitale commented 10 years ago

Not a problem with iptable_ng, thanks for your help!