LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices


Reply
  Search this Thread
Old 03-14-2018, 11:17 AM   #1
geshmy
LQ Newbie
 
Registered: Apr 2015
Location: Seattle, WA
Distribution: Laptop - Wheezy and Windows 8.1, Office - also dual boot, Centos7 and Fedora 21 (Kde spin for now)
Posts: 7

Rep: Reputation: Disabled
iptables keeps dropping the rules


I am totally at a loss. Maybe I should post this in the Security forum.

I'm on Stretch running skolinux.

I have installed iptables as well as netfilter-persistent. I have blocked ipv6 elsewhere (net....settings) When the rules are loaded,

$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with tcp-reset
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:auth state RELATED

That looks fine. I can get those rules loaded via
$ sudo iptables-restore < /etc/iptables/rules.v4

But after a few minutes I see I am wide open:
$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

and have to manually run:
$ sudo iptables-restore < /etc/iptables/rules.v4

again.

This changing state of iptables rules is constant.

This is just a desktop system. I may or may not need a firewall setup but I prefer to have it. I have also been using, fcheck, maldet, clamav, rkhunter and chkrootkit and haven't seen a specific compromise.

The only reason that I am using skolinux (or debianEdu) is that I wanted to try it out and assumed I could revert back to simple xfce desktop. I don't get that option when I am at the login screen.

I am clueless what is causing rules that where loaded to get changed every few minutes. Is there some errant process doing it?

I see that actual program is xtables-multi and I question the permissions:

0 lrwxrwxrwx 1 root root 7 Nov 24 01:22 ip -> /bin/ip
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables-restore -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables-save -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables-restore -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables-save -> xtables-multi

Any input appreciated.

In general, this OS has been good, very solid and snappy. it boots in about 23 seconds.

$ systemd-analyze critical-chain
graphical.target @23.791s
└─multi-user.target @23.791s
└─wicd.service @13.310s +10.480s
└─dbus.service @12.438s
└─basic.target @12.334s
└─sockets.target @12.334s
└─dnscrypt-proxy.socket @12.334s
└─sysinit.target @12.333s
└─systemd-timesyncd.service @11.964s +368ms
└─systemd-tmpfiles-setup.service @11.321s +582ms
└─local-fs.target @11.319s
└─boot-efi.mount @10.955s +363ms
└─systemd-fsck@dev-disk-by\blahblahblah.service @9.462s +1.455s
└─dev-disk-by\blahblahblee;-).device @9.460s
 
Old 03-14-2018, 03:10 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
I don't use Debian but noticed you mention systemd. On the RHEL systems I have that use systemd (vs init) they also use firewalld as the main firewall configuration utility. On those systems iptables still exists but the updates to it are done by manipulating firewalld rather than direct changes to iptables. I suspect the same is true for your Debian.

This link talks about firewalld on Debian Stretch
 
1 members found this post helpful.
Old 03-14-2018, 07:39 PM   #3
geshmy
LQ Newbie
 
Registered: Apr 2015
Location: Seattle, WA
Distribution: Laptop - Wheezy and Windows 8.1, Office - also dual boot, Centos7 and Fedora 21 (Kde spin for now)
Posts: 7

Original Poster
Rep: Reputation: Disabled
Thanks for the feedback, MensaWater. I found this on wikipedia: "firewalld is also available as one of many firewall options in the package repository of many other popular distributions such as Debian.[10]" It is available as an optional package at https://packages.debian.org/sid/main/firewalld.

Happily, I'll mark this solved.

I removed all of the debian-edu desktop using synaptic and have had no problem with iptables loading rules on boot or resetting the rules during run time. I opened a bug report with Debian also.
 
1 members found this post helpful.
Old 03-15-2018, 02:01 PM   #4
tdsan
LQ Newbie
 
Registered: Aug 2011
Posts: 26

Rep: Reputation: Disabled
Interesting, I will take a shot at it

From the debian documentation, it says iptables-persistent stores the information in /etc/iptables/rules.v4.

I would create a ruleset and copy it to your /home drive or root directory

Quote:
iptables-save > /root/iptables.lst
Then after a reboot, validate if the rules that are found in your root directory are the same as the ones found in /etc/iptables/rules.v4

Quote:
cmp /root/iptables.lst /etc/iptables/rules.v4
Then perform a comparison after a reboot, if the comparison changes after the reboot, then there is a problem with firewalld or you are not saving the firewalld configuration properly. If you are doing it properly and it is different when it comes up, there is an alternative

I would go to rc.local and enter a restore statement to your firewall, this will overwrite the rules because it is one of the last files to be processed

Quote:
iptables-restore < /root/iptables.lst
One question what is the version of iptables and firewalld you are using, that will help with identifying the culprit

Quote:
iptables -V (iptables version)
Have a great day.

Todd
 
Old 03-25-2018, 07:45 PM   #5
linxpatrick
Member
 
Registered: Oct 2010
Posts: 32

Rep: Reputation: 1
I use OpenSuSE 42.3 with iptables. Have been using it since 42.1. Currently on kernel version 4.4.120-45. I use FirewallBuilder to configure the firewall. In there is a setting to load the firewall on startup. I believe it uses systemd for this. I've noticed over the years that sometimes the firewall is automatically loaded after a reboot and sometimes not. It seems to cycle in and out with updates but I don't know what update affects it. Currently, it's working correctly.

Just thought I would mention it in case you are experiencing this type of behavior.
 
Old 03-27-2018, 11:22 PM   #6
geshmy
LQ Newbie
 
Registered: Apr 2015
Location: Seattle, WA
Distribution: Laptop - Wheezy and Windows 8.1, Office - also dual boot, Centos7 and Fedora 21 (Kde spin for now)
Posts: 7

Original Poster
Rep: Reputation: Disabled
The following measures would load rules at boot but no matter what (although I wasn't sure that they loaded every time), the rules would vanish in a few minutes. The rules vanishing problem was huge.

I did place a line in /etc/rc.local that points to an iptables script which loads the rules I want. That worked for a minute.

I also did
# mkdir /etc/iptables
# iptables-save > /etc/iptables/rules.v4

and installed netfilter-persistent.

But know matter what I did, if the rules were loaded, they would be gone when I checked again in a few minutes. All problems disappered when I purged Debian Edu / Skolelinux Jessie. I have no idea why it was happening.

I have used Fedora and firewalld (my Debian did not have firewalld by default) but I think that Fedora and other Red Hat distros are largely developed with large scale networks and services as their target. They develop a lot of tools to make the sys admins job easier but by default the distros install and run a lot of things that a simple desktop for a 'home' user wouldn't necessarily need.

Even though it was all fixed, I decided to move on back to Trisquel 8. I like that totally free software feeling:} It's a granchild of Debian via Ubuntu.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I tell if these iptables rules already exist? iptables -P INPUT ACCEPT iptabl abefroman Linux - Security 1 10-21-2013 03:00 PM
[SOLVED] during system startup, iptables rules not loaded from /etc/sysconfig/iptables danyim Linux - Security 3 04-13-2013 02:09 AM
Restore iptables Rules that have been saved with iptables-save tiuz Linux - Security 4 08-14-2010 05:50 PM
[SOLVED] iptables not dropping ip zamorac Linux - Security 5 05-01-2010 08:39 AM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian

All times are GMT -5. The time now is 04:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration