[SOLVED] Iptables adding rules to itself automagically on Fedora 29
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Iptables adding rules to itself automagically on Fedora 29
Hi everyone, I have a tricky problem here in Fedora 29.
I uninstalled Firewalld for education purposes and I have only iptables. I'm configuring it directly without any Frontend.
I have it all configured but when I restart my PC I'm seeing that other rules have been added to IPtables and I don't know what's the source of those rules updates, more specifically it is adding rules for port 53 (DNS) and 67 (DHCP server) in every restart, plus some rules in FORWARD chain and it also adds rules for port 68 (DHCP client).
Yes, plus other rules in nat table and mangle table, here is the capture of the filter table:
-
--
---
-----
-------------------------------------------------------------------------------
And I searched in the logs in order to understand what's happening, I found this:
-
--
---
-----
-------------------------------------------------------------------------------
[root@edier88 edier88]# journalctl | grep 'Feb 09 14:4' | grep -i filter
Feb 09 14:41:42 edier88 chronyd[862]: chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 +DEBUG)
Feb 09 14:41:42 edier88 audit: NETFILTER_CFG table=nat family=2 entries=0
Feb 09 14:41:44 edier88 audit: NETFILTER_CFG table=nat family=2 entries=5
Feb 09 14:41:44 edier88 audit: NETFILTER_CFG table=mangle family=2 entries=0
Feb 09 14:41:44 edier88 audit: NETFILTER_CFG table=mangle family=2 entries=6
Feb 09 14:41:45 edier88 audit: NETFILTER_CFG table=filter family=2 entries=4
Feb 09 14:41:48 edier88 named[998]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-python=/usr/bin/python3' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-geoip' '--with-libidn2' '--enable-openssl-hash' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib64/pkcs11/libsofthsm2.so' '--with-dlopen=yes' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-dlz-bdb=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-lmdb=no' '--with-atf=/usr' '--enable-fixed-rrset' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-full-report' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld' 'CPPFLAGS= -DDIG_SIGCHASE'
Feb 09 14:42:04 edier88 audit: NETFILTER_CFG table=filter family=10 entries=0
Feb 09 14:42:08 edier88 kernel: bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=filter family=2 entries=109
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=filter family=2 entries=110
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=filter family=2 entries=111
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=filter family=2 entries=112
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=filter family=2 entries=113
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=filter family=2 entries=114
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=filter family=2 entries=115
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=filter family=2 entries=116
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=filter family=2 entries=117
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=filter family=2 entries=118
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=nat family=2 entries=65
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=nat family=2 entries=66
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=nat family=2 entries=67
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=nat family=2 entries=68
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=nat family=2 entries=69
Feb 09 14:42:09 edier88 audit: NETFILTER_CFG table=mangle family=2 entries=18
-----------------------------------------------------------------------------------
-----
---
--
-
I really don't know if Auditd or NETFILTER is adding rules to iptables automagically, is that what is happening? How can this be deactivated?
I really appreciate all the help you can give me. Thanks a lot!!
Hi everybody who's watching this thread.
I will give a solution to my problem myself, I'm the same person who created this thread.
I solved this with not the correct solution but with something that can mitigate the problem.
To avoid Iptables keep growing and adding rules to itself automagically I made a programmed task in 'rc.local' telling iptables to restore its correct rules everytime at startup.
First I activated the rc.local on Fedora 29 this way (rc.local isn't activated by default in fedora)
I created the file:
-----------------------------------------------------------------------------------
# vim /etc/rc.d/rc.local
-----------------------------------------------------------------------------------
I give execution permissions:
----------------------------------------------------------------------------------
# chmod +x /etc/rc.d/rc.local
----------------------------------------------------------------------------------
Activate the rc-local.service:
-----------------------------------------------------------------------------------
# systemctl enable rc-local.service
# systemctl start rc-local.service
# systemctl status rc-local.service
-----------------------------------------------------------------------------------
I save the iptables backup file with the rules I want to be restored at startup:
-----------------------------------------------------------------------------------
# iptables-save > /home/<user>/Desktop/iptablesbk.txt
-----------------------------------------------------------------------------------
Where <user> is the name of the user in Fedora.
I make an sh file, this is the file who is going to restore my iptables rules at startup:
--------------------------------------------------------------------------------------
# vim /home/<user>/Desktop/iptables.sh
--------------------------------------------------------------------------------------
And put this line in it, that will say to iptables to restore its rules with the given backup file:
--------------------------------------------------------------------------------------
iptables-restore < /home/edier88/Desktop/iptablesbk.txt
--------------------------------------------------------------------------------------
Save it.
In /etc/rc.d/rc.local I put these lines and save it:
-------------------------------------------------------------------------------------
#!/bin/bash
at -f /home/<user>/Desktop/iptables.sh now + 3 minutes
-------------------------------------------------------------------------------------
That way I'm executing at startup the file 'iptables.sh' which makes iptables to restore the rules contained in the file "iptablesbk.txt"
This is not the correct solution to my problem, but is a temporal solution because until now, I haven't solved it entirely.
If you have questions, replies or corrections to this, let me know.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.