How can I restart iptables service?

hack3rcon · 12-11-2016, 07:33 AM

Hello.
I use Debian 8.6 amd64 and I like to restart my iptables service. How can I do it? seems no service exist with iptables name!!!

Thank you.

Keruskerfuerst · 12-11-2016, 09:03 AM

Does Debian 8.6 use SysVinit or SystemD?

wpeckham · 12-11-2016, 09:10 AM

Rather than check for service iptables alone, look also for things like iptablesd, iptabled, etc. I am not running Debian 8 right now, but I seem to remember that the name was not perfectly matched to the package. (Which is, as you look around at other packages and services, pretty normal.)

You might also list out ALL services and grep for ipta and see what it returns.

LAST option: you know a reboot will cycle all services that are set to auto-start. That should NEVER be required, but does always work.

hack3rcon · 12-11-2016, 09:49 AM

Quote:

Originally Posted by wpeckham

Rather than check for service iptables alone, look also for things like iptablesd, iptabled, etc. I am not running Debian 8 right now, but I seem to remember that the name was not perfectly matched to the package. (Which is, as you look around at other packages and services, pretty normal.)

You might also list out ALL services and grep for ipta and see what it returns.

LAST option: you know a reboot will cycle all services that are set to auto-start. That should NEVER be required, but does always work.

I can't see!!!!

Code:

$ sudo service --status-all
 [ + ]  acpid
 [ - ]  alsa-utils
 [ - ]  anacron
 [ + ]  atd
 [ + ]  avahi-daemon
 [ - ]  bootlogs
 [ - ]  bootmisc.sh
 [ - ]  checkfs.sh
 [ - ]  checkroot-bootclean.sh
 [ - ]  checkroot.sh
 [ + ]  console-setup
 [ + ]  cpufrequtils
 [ + ]  cron
 [ + ]  dbus
 [ - ]  exim4
 [ + ]  hdparm
 [ - ]  hostname.sh
 [ - ]  hwclock.sh
 [ + ]  kbd
 [ + ]  keyboard-setup
 [ - ]  killprocs
 [ + ]  kmod
 [ + ]  lightdm
 [ + ]  loadcpufreq
 [ + ]  minissdpd
 [ - ]  motd
 [ - ]  mountall-bootclean.sh
 [ - ]  mountall.sh
 [ - ]  mountdevsubfs.sh
 [ - ]  mountkernfs.sh
 [ - ]  mountnfs-bootclean.sh
 [ - ]  mountnfs.sh
 [ + ]  network-manager
 [ + ]  networking
 [ + ]  nfs-common
 [ - ]  pppd-dns
 [ + ]  procps
 [ + ]  rc.local
 [ - ]  rmnologin
 [ + ]  rpcbind
 [ - ]  rsync
 [ + ]  rsyslog
 [ - ]  saned
 [ - ]  sendsigs
 [ + ]  speech-dispatcher
 [ - ]  sudo
 [ + ]  udev
 [ + ]  udev-finish
 [ - ]  umountfs
 [ - ]  umountnfs.sh
 [ - ]  umountroot
 [ + ]  urandom
 [ - ]  uuidd
 [ - ]  x11-common

wpeckham · 12-11-2016, 11:42 AM

That is not as I would have done it, but assume that list is complete. What then makes you think that you have iptables installed and running to need restarting?
Have you run anything like

Code:

ps -aef | grep iptabl

to see if it is in memory?

hack3rcon · 12-11-2016, 01:10 PM

If it is not in memory then how it protect my system? I write a new iptables rule and I guess that I must restart my service!!!

wpeckham · 12-11-2016, 04:22 PM

Try

Quote:

dpkg-query --list |grep -i iptabl

and see if it is installed, and at what status.
If it is not installed, you will need to install it using apt-get or one of the gui front-ends to apt.

c0wb0y · 12-11-2016, 04:28 PM

I can think of 2 options you can use:
- cook your own
- use one of the frontends

michaelk · 12-11-2016, 05:43 PM

debian 8 uses systemd. You can install the iptables-persistent package which is a service to load your firewall rules at boot. The service is called netfilter-persistent

The firewall is actually kernel modules that are loaded at boot up and when you add a rule using the iptables frontend ClI utility they take effect immediately. No need to restart anything. You can save your rules using the iptables-save command. There are various GUI firewall front ends to iptables like UFW or firestarter which provides an easier interface then using the CLI.

hack3rcon · 12-12-2016, 01:07 AM

Quote:

Originally Posted by wpeckham

That is not as I would have done it, but assume that list is complete. What then makes you think that you have iptables installed and running to need restarting?
Have you run anything like

Code:

ps -aef | grep iptabl

to see if it is in memory?

Yes, It is in memory:

Code:

$ ps -aef | grep iptabl
jason    4066  4060  0 10:35 pts/2    00:00:00 grep iptabl

hack3rcon · 12-12-2016, 01:08 AM

Quote:

Originally Posted by wpeckham

Try and see if it is installed, and at what status.
If it is not installed, you will need to install it using apt-get or one of the gui front-ends to apt.

Code:

$ dpkg-query --list |grep -i iptabl
ii  gnome-orca                            3.14.0-4+deb8u1                      all          Scriptable screen reader
ii  iptables                              1.4.21-2+b1                          amd64        administration tools for packet filtering and NAT

hack3rcon · 12-12-2016, 01:11 AM

Quote:

Originally Posted by michaelk

debian 8 uses systemd. You can install the iptables-persistent package which is a service to load your firewall rules at boot. The service is called netfilter-persistent

The firewall is actually kernel modules that are loaded at boot up and when you add a rule using the iptables frontend ClI utility they take effect immediately. No need to restart anything. You can save your rules using the iptables-save command. There are various GUI firewall front ends to iptables like UFW or firestarter which provides an easier interface then using the CLI.

If when I remove or add a rule then it use immediately then need I "iptables-persistent" or "netfilter-persistent" ?

descendant_command · 12-12-2016, 01:35 AM

Quote:

Originally Posted by hack3rcon

Yes, It is in memory:

Code:

$ ps -aef | grep iptabl
jason    4066  4060  0 10:35 pts/2    00:00:00 grep iptabl

No, that is your grep process.

As stated, netfilter is part of the kernel - there is no iptables process or daemon to restart.

descendant_command · 12-12-2016, 01:40 AM

Quote:

Originally Posted by hack3rcon

If when I remove or add a rule then it use immediately then need I "iptables-persistent" or "netfilter-persistent" ?

No, only as an automated way to reload your rules on system boot.

The iptables binary (or netfilter) reads or writes rules in the (volatile) kernel data structure, rrporting the current state or updating it immediately.

wpeckham · 12-12-2016, 07:11 AM

Quote:

Originally Posted by hack3rcon

Code:

$ dpkg-query --list |grep -i iptabl
ii  gnome-orca                            3.14.0-4+deb8u1                      all          Scriptable screen reader
ii  iptables                              1.4.21-2+b1                          amd64        administration tools for packet filtering and NAT

Excellent, it is installed. As descendant_command mentioned, the other output indicates that there is NOT an iptables process in memory (I HAVE been able to detect it that way, we will assume it is inactive at this point).

Have you looked up how to import and export rules? You can do this at the command line and test it before loading any additional software for automation.