Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

iptables/netfilter-pertistent and rule with url

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
jerome-02
Posts: 1
Joined: 2017-07-06 08:51

iptables/netfilter-pertistent and rule with url

#1 Post by jerome-02 »

Hello,

first, sorry for my poor english, i hope you will understand me.

I have some trooble with using iptables-persistent and rules with URL inside, but just when the machine start :
What i have done :

apt-get install iptables-persistent (here, no problem ^^ )

next, i create my rules file :
nano /etc/iptables/rules.v4

If i just put some rules like this, i have no problem :

Code: Select all

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
#ICMP
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
#DNS
-A OUTPUT -p tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
#NTP
-A OUTPUT -o eth0 -d 192.168.200.1 -p udp --dport 123 -j ACCEPT
iptables -L send a good result if i start manually : /etc/init.d/netfilter-persistent start/restart
Even if i reboot the computer, iptables -L is OK.

BUT : when i add some rules with URL, like :

Code: Select all

-A OUTPUT -o eth0 -d ftp.fr.debian.org -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -d security.debian.org -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -d security-cdn.debian.org -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -d database.clamav.net -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -d db.local.clamav.net -p tcp --dport 80 -j ACCEPT
A manually start of the service is ok. theses tables are loaded, and we can see it with iptables -L
But when i restart the computer, rules are not loaded, and there is an error in /var/log/syslog :

Code: Select all

Jul  6 11:52:10 machinetest systemd[1]: Starting netfilter persistent configuration...
Jul  6 11:52:10 machinetest netfilter-persistent[341]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Jul  6 11:52:10 machinetest netfilter-persistent[341]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 2
Jul  6 11:52:10 machinetest netfilter-persistent[341]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Jul  6 11:52:10 machinetest netfilter-persistent[341]: Warning: skipping IPv6 (no rules to load)
Jul  6 11:52:10 machinetest systemd[1]: netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE
Jul  6 11:52:10 machinetest systemd[1]: Failed to start netfilter persistent configuration.
Jul  6 11:52:10 machinetest systemd[1]: netfilter-persistent.service: Unit entered failed state.
Jul  6 11:52:10 machinetest systemd[1]: netfilter-persistent.service: Failed with result 'exit-code'.
I have trying to modify /etc/init.d/netfilter-persistent like this :

Code: Select all

### BEGIN INIT INFO
# Provides:          netfilter-persistent
# Required-Start:    mountkernfs [b]$all[/b]
# Required-Stop:     $remote_fs
# Default-Start:     S
# Default-Stop:      0 1 6
# Short-Description: Load boot-time netfilter configuration
# Description:       Loads boot-time netfilter configuration
### END INIT INFO
but it doesn't work.
The only thing who work is to add a cron task :

Code: Select all

@reboot /etc/init.d/netfilter-persistent restart
But i think this method is not "normal".

Hope you understand me, and maybe you will have an idea.

Cdt,
Top
Post Reply

Return to “System and Network configuration”