search

example42 / puppet-iptables

Iptables Puppet Module (for host based firewalling)
http://www.example42.com
Other
14 stars 41 forks source link

Ubuntu 13.10 - Service[iptables]: Execution of 'iptables-restore < /etc/iptables/rules.v4' returned 1: #51

Open cedriclombardot opened 10 years ago

cedriclombardot commented 10 years ago

Hello,

I 've just installed this package with the following config :

    class { 'iptables':
        enable_v6 => false,
        version => 'present' # the present is mandatory else it try to replace my ubuntu version with a non existant package
    }
    iptables::rule { 'smtp':
        port => 25
    }

    iptables::rule { 'smtp_secure':
        port => 587
    }

    iptables::rule { 'imap':
        port => 143
    }

But when i apply this config, i have : 

Debug: Executing 'iptables-restore < /etc/iptables/rules.v4'
Error: /Stage[main]/Iptables/Service[iptables]: Failed to call refresh: Could not restart Service[iptables]: Execution of 'iptables-restore < /etc/iptables/rules.v4' returned 1: 
Error: /Stage[main]/Iptables/Service[iptables]: Could not restart Service[iptables]: Execution of 'iptables-restore < /etc/iptables/rules.v4' returned 1: 
Debug: Iptables::Concat_emitter[v4]: The container Class[Iptables] will propagate my refresh event
Debug: Class[Iptables]: The container Stage[main] will propagate my refresh event

The generated file is : 

# File Managed by Puppet
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT   -p tcp --dport 25 -s 0/0 -d 0/0 -j ACCEPT
-A INPUT   -p tcp --dport 587 -s 0/0 -d 0/0 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m pkttype --pkt-type broadcast -j ACCEPT
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
-A INPUT -j LOG --log-level 4 --log-prefix "INPUT DROP: "
-A INPUT -j DROP
-A OUTPUT -j ACCEPT 
-A OUTPUT -j LOG --log-level 4 --log-prefix "OUTPUT DROP: "
-A OUTPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j LOG --log-level 4 --log-prefix "FORWARD DROP: "
-A FORWARD -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT

COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT 

COMMIT

And if i do a manually save i have something restorable wich look like :

# Generated by iptables-save v1.4.18 on Sat Apr 19 02:23:26 2014
*nat
:PREROUTING ACCEPT [12:1300]
:POSTROUTING ACCEPT [5:337]
:OUTPUT ACCEPT [5:337]
COMMIT
# Completed on Sat Apr 19 02:23:26 2014
# Generated by iptables-save v1.4.18 on Sat Apr 19 02:23:26 2014
*mangle
:PREROUTING ACCEPT [145:11453]
:INPUT ACCEPT [145:11453]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [123:19035]
:POSTROUTING ACCEPT [123:19035]
COMMIT
# Completed on Sat Apr 19 02:23:26 2014
# Generated by iptables-save v1.4.18 on Sat Apr 19 02:23:26 2014
*filter
:INPUT ACCEPT [145:11453]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [123:19035]
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
COMMIT
# Completed on Sat Apr 19 02:23:26 2014

Can you help please.

Freeaqingme commented 10 years ago

The iptables class itself was left in for backwards compatibility with the Puppetlabs one (and I'll soon give it an upgrade for full compat). What happens if you leave out the following code?

class { 'iptables':
        enable_v6 => false,
        version => 'present' # the present is mandatory else it try to replace my ubuntu version with a non existant package
    }

Edit: I'm sorry, it's a little late here. The above won't probably change or fix anything for you (though please do try). What commit or branch are you on?

cedriclombardot commented 10 years ago

I use the "example42/iptables (2.1.3)"