iptables keeps dropping the rules
I am totally at a loss. Maybe I should post this in the Security forum.
I'm on Stretch running skolinux. I have installed iptables as well as netfilter-persistent. I have blocked ipv6 elsewhere (net....settings) When the rules are loaded, $ sudo iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED DROP tcp -- anywhere anywhere state INVALID ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with tcp-reset DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds DROP udp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds DROP udp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds DROP all -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp spt:auth state RELATED That looks fine. I can get those rules loaded via $ sudo iptables-restore < /etc/iptables/rules.v4 But after a few minutes I see I am wide open: $ sudo iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination and have to manually run: $ sudo iptables-restore < /etc/iptables/rules.v4 again. This changing state of iptables rules is constant. This is just a desktop system. I may or may not need a firewall setup but I prefer to have it. I have also been using, fcheck, maldet, clamav, rkhunter and chkrootkit and haven't seen a specific compromise. The only reason that I am using skolinux (or debianEdu) is that I wanted to try it out and assumed I could revert back to simple xfce desktop. I don't get that option when I am at the login screen. I am clueless what is causing rules that where loaded to get changed every few minutes. Is there some errant process doing it? I see that actual program is xtables-multi and I question the permissions: 0 lrwxrwxrwx 1 root root 7 Nov 24 01:22 ip -> /bin/ip 0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables -> xtables-multi 0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables-restore -> xtables-multi 0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables-save -> xtables-multi 0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables -> xtables-multi 0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables-restore -> xtables-multi 0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables-save -> xtables-multi Any input appreciated. In general, this OS has been good, very solid and snappy. it boots in about 23 seconds. $ systemd-analyze critical-chain graphical.target @23.791s └─multi-user.target @23.791s └─wicd.service @13.310s +10.480s └─dbus.service @12.438s └─basic.target @12.334s └─sockets.target @12.334s └─dnscrypt-proxy.socket @12.334s └─sysinit.target @12.333s └─systemd-timesyncd.service @11.964s +368ms └─systemd-tmpfiles-setup.service @11.321s +582ms └─local-fs.target @11.319s └─boot-efi.mount @10.955s +363ms └─systemd-fsck@dev-disk-by\blahblahblah:).service @9.462s +1.455s └─dev-disk-by\blahblahblee;-).device @9.460s |
I don't use Debian but noticed you mention systemd. On the RHEL systems I have that use systemd (vs init) they also use firewalld as the main firewall configuration utility. On those systems iptables still exists but the updates to it are done by manipulating firewalld rather than direct changes to iptables. I suspect the same is true for your Debian.
This link talks about firewalld on Debian Stretch |
Thanks for the feedback, MensaWater. I found this on wikipedia: "firewalld is also available as one of many firewall options in the package repository of many other popular distributions such as Debian.[10]" It is available as an optional package at https://packages.debian.org/sid/main/firewalld.
Happily, I'll mark this solved. I removed all of the debian-edu desktop using synaptic and have had no problem with iptables loading rules on boot or resetting the rules during run time. I opened a bug report with Debian also. |
Interesting, I will take a shot at it
From the debian documentation, it says iptables-persistent stores the information in /etc/iptables/rules.v4.
I would create a ruleset and copy it to your /home drive or root directory Quote:
Quote:
I would go to rc.local and enter a restore statement to your firewall, this will overwrite the rules because it is one of the last files to be processed Quote:
Quote:
Todd |
I use OpenSuSE 42.3 with iptables. Have been using it since 42.1. Currently on kernel version 4.4.120-45. I use FirewallBuilder to configure the firewall. In there is a setting to load the firewall on startup. I believe it uses systemd for this. I've noticed over the years that sometimes the firewall is automatically loaded after a reboot and sometimes not. It seems to cycle in and out with updates but I don't know what update affects it. Currently, it's working correctly.
Just thought I would mention it in case you are experiencing this type of behavior. |
The following measures would load rules at boot but no matter what (although I wasn't sure that they loaded every time), the rules would vanish in a few minutes. The rules vanishing problem was huge.
I did place a line in /etc/rc.local that points to an iptables script which loads the rules I want. That worked for a minute. I also did # mkdir /etc/iptables # iptables-save > /etc/iptables/rules.v4 and installed netfilter-persistent. But know matter what I did, if the rules were loaded, they would be gone when I checked again in a few minutes. All problems disappered when I purged Debian Edu / Skolelinux Jessie. I have no idea why it was happening. I have used Fedora and firewalld (my Debian did not have firewalld by default) but I think that Fedora and other Red Hat distros are largely developed with large scale networks and services as their target. They develop a lot of tools to make the sys admins job easier but by default the distros install and run a lot of things that a simple desktop for a 'home' user wouldn't necessarily need. Even though it was all fixed, I decided to move on back to Trisquel 8. I like that totally free software feeling:} It's a granchild of Debian via Ubuntu. |
All times are GMT -5. The time now is 08:01 PM. |