iptables/netfilter-pertistent and rule with url

Kernels & Hardware, configuring network, installing services

iptables/netfilter-pertistent and rule with url

Postby jerome-02 » 2017-07-06 09:11

Hello,

first, sorry for my poor english, i hope you will understand me.

I have some trooble with using iptables-persistent and rules with URL inside, but just when the machine start :
What i have done :

apt-get install iptables-persistent (here, no problem ^^ )

next, i create my rules file :
nano /etc/iptables/rules.v4

If i just put some rules like this, i have no problem :

Code: Select all
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
#ICMP
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
#DNS
-A OUTPUT -p tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
#NTP
-A OUTPUT -o eth0 -d 192.168.200.1 -p udp --dport 123 -j ACCEPT


iptables -L send a good result if i start manually : /etc/init.d/netfilter-persistent start/restart
Even if i reboot the computer, iptables -L is OK.

BUT : when i add some rules with URL, like :
Code: Select all
-A OUTPUT -o eth0 -d ftp.fr.debian.org -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -d security.debian.org -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -d security-cdn.debian.org -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -d database.clamav.net -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -d db.local.clamav.net -p tcp --dport 80 -j ACCEPT


A manually start of the service is ok. theses tables are loaded, and we can see it with iptables -L
But when i restart the computer, rules are not loaded, and there is an error in /var/log/syslog :
Code: Select all
Jul  6 11:52:10 machinetest systemd[1]: Starting netfilter persistent configuration...
Jul  6 11:52:10 machinetest netfilter-persistent[341]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Jul  6 11:52:10 machinetest netfilter-persistent[341]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 2
Jul  6 11:52:10 machinetest netfilter-persistent[341]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Jul  6 11:52:10 machinetest netfilter-persistent[341]: Warning: skipping IPv6 (no rules to load)
Jul  6 11:52:10 machinetest systemd[1]: netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE
Jul  6 11:52:10 machinetest systemd[1]: Failed to start netfilter persistent configuration.
Jul  6 11:52:10 machinetest systemd[1]: netfilter-persistent.service: Unit entered failed state.
Jul  6 11:52:10 machinetest systemd[1]: netfilter-persistent.service: Failed with result 'exit-code'.


I have trying to modify /etc/init.d/netfilter-persistent like this :
Code: Select all
### BEGIN INIT INFO
# Provides:          netfilter-persistent
# Required-Start:    mountkernfs [b]$all[/b]
# Required-Stop:     $remote_fs
# Default-Start:     S
# Default-Stop:      0 1 6
# Short-Description: Load boot-time netfilter configuration
# Description:       Loads boot-time netfilter configuration
### END INIT INFO


but it doesn't work.
The only thing who work is to add a cron task :
Code: Select all
@reboot /etc/init.d/netfilter-persistent restart


But i think this method is not "normal".

Hope you understand me, and maybe you will have an idea.

Cdt,
jerome-02
 
Posts: 1
Joined: 2017-07-06 08:51

Return to System configuration

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable