LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Debian (https://www.linuxquestions.org/questions/debian-26/)
-   -   iptables keeps dropping the rules (https://www.linuxquestions.org/questions/debian-26/iptables-keeps-dropping-the-rules-4175625562/)

geshmy 03-14-2018 11:17 AM
iptables keeps dropping the rules
 
I am totally at a loss. Maybe I should post this in the Security forum.

I'm on Stretch running skolinux.

I have installed iptables as well as netfilter-persistent. I have blocked ipv6 elsewhere (net....settings) When the rules are loaded,

$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with tcp-reset
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:auth state RELATED

That looks fine. I can get those rules loaded via
$ sudo iptables-restore < /etc/iptables/rules.v4

But after a few minutes I see I am wide open:
$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

and have to manually run:
$ sudo iptables-restore < /etc/iptables/rules.v4

again.

This changing state of iptables rules is constant.

This is just a desktop system. I may or may not need a firewall setup but I prefer to have it. I have also been using, fcheck, maldet, clamav, rkhunter and chkrootkit and haven't seen a specific compromise.

The only reason that I am using skolinux (or debianEdu) is that I wanted to try it out and assumed I could revert back to simple xfce desktop. I don't get that option when I am at the login screen.

I am clueless what is causing rules that where loaded to get changed every few minutes. Is there some errant process doing it?

I see that actual program is xtables-multi and I question the permissions:

0 lrwxrwxrwx 1 root root 7 Nov 24 01:22 ip -> /bin/ip
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables-restore -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables-save -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables-restore -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables-save -> xtables-multi

Any input appreciated.

In general, this OS has been good, very solid and snappy. it boots in about 23 seconds.

$ systemd-analyze critical-chain
graphical.target @23.791s
└─multi-user.target @23.791s
└─wicd.service @13.310s +10.480s
└─dbus.service @12.438s
└─basic.target @12.334s
└─sockets.target @12.334s
└─dnscrypt-proxy.socket @12.334s
└─sysinit.target @12.333s
└─systemd-timesyncd.service @11.964s +368ms
└─systemd-tmpfiles-setup.service @11.321s +582ms
└─local-fs.target @11.319s
└─boot-efi.mount @10.955s +363ms
└─systemd-fsck@dev-disk-by\blahblahblah:).service @9.462s +1.455s
└─dev-disk-by\blahblahblee;-).device @9.460s

MensaWater 03-14-2018 03:10 PM
I don't use Debian but noticed you mention systemd. On the RHEL systems I have that use systemd (vs init) they also use firewalld as the main firewall configuration utility. On those systems iptables still exists but the updates to it are done by manipulating firewalld rather than direct changes to iptables. I suspect the same is true for your Debian.

This link talks about firewalld on Debian Stretch

geshmy 03-14-2018 07:39 PM
Thanks for the feedback, MensaWater. I found this on wikipedia: "firewalld is also available as one of many firewall options in the package repository of many other popular distributions such as Debian.[10]" It is available as an optional package at https://packages.debian.org/sid/main/firewalld.

Happily, I'll mark this solved.

I removed all of the debian-edu desktop using synaptic and have had no problem with iptables loading rules on boot or resetting the rules during run time. I opened a bug report with Debian also.

tdsan 03-15-2018 02:01 PM
Interesting, I will take a shot at it
 
From the debian documentation, it says iptables-persistent stores the information in /etc/iptables/rules.v4.

I would create a ruleset and copy it to your /home drive or root directory

Quote:
iptables-save > /root/iptables.lst
Then after a reboot, validate if the rules that are found in your root directory are the same as the ones found in /etc/iptables/rules.v4

Quote:
cmp /root/iptables.lst /etc/iptables/rules.v4
Then perform a comparison after a reboot, if the comparison changes after the reboot, then there is a problem with firewalld or you are not saving the firewalld configuration properly. If you are doing it properly and it is different when it comes up, there is an alternative

I would go to rc.local and enter a restore statement to your firewall, this will overwrite the rules because it is one of the last files to be processed

Quote:
iptables-restore < /root/iptables.lst
One question what is the version of iptables and firewalld you are using, that will help with identifying the culprit

Quote:
iptables -V (iptables version)
Have a great day.

Todd

linxpatrick 03-25-2018 07:45 PM
I use OpenSuSE 42.3 with iptables. Have been using it since 42.1. Currently on kernel version 4.4.120-45. I use FirewallBuilder to configure the firewall. In there is a setting to load the firewall on startup. I believe it uses systemd for this. I've noticed over the years that sometimes the firewall is automatically loaded after a reboot and sometimes not. It seems to cycle in and out with updates but I don't know what update affects it. Currently, it's working correctly.

Just thought I would mention it in case you are experiencing this type of behavior.

geshmy 03-27-2018 11:22 PM
The following measures would load rules at boot but no matter what (although I wasn't sure that they loaded every time), the rules would vanish in a few minutes. The rules vanishing problem was huge.

I did place a line in /etc/rc.local that points to an iptables script which loads the rules I want. That worked for a minute.

I also did
# mkdir /etc/iptables
# iptables-save > /etc/iptables/rules.v4

and installed netfilter-persistent.

But know matter what I did, if the rules were loaded, they would be gone when I checked again in a few minutes. All problems disappered when I purged Debian Edu / Skolelinux Jessie. I have no idea why it was happening.

I have used Fedora and firewalld (my Debian did not have firewalld by default) but I think that Fedora and other Red Hat distros are largely developed with large scale networks and services as their target. They develop a lot of tools to make the sys admins job easier but by default the distros install and run a lot of things that a simple desktop for a 'home' user wouldn't necessarily need.

Even though it was all fixed, I decided to move on back to Trisquel 8. I like that totally free software feeling:} It's a granchild of Debian via Ubuntu.


All times are GMT -5. The time now is 08:01 PM.