Iptables restore scheduled?

Got problems with your B2 or B3? Share and get helped!
Eek
Posts: 372
Joined: 23 Dec 2007, 03:03
Location: the Netherlands

Iptables restore scheduled?

Post by Eek » 14 Jan 2012, 14:34

Hi

Maybe it is something I do !?
but lately I noticed that "suddenly" my iptables was restored
to the settings in the /etc/network/firewall.conf

Is there a scheduled script that does this?
cheers
Eek

Gordon
Posts: 1373
Joined: 10 Aug 2011, 03:18

Re: Iptables restore scheduled?

Post by Gordon » 14 Jan 2012, 15:53

I don't think so. Maybe you had a power outage?

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Iptables restore scheduled?

Post by Ubi » 14 Jan 2012, 17:04

there is no scheduled script in the default distro afaik. Power hiccup seems most logical, and can be detected with uptime

Eek
Posts: 372
Joined: 23 Dec 2007, 03:03
Location: the Netherlands

Re: Iptables restore scheduled?

Post by Eek » 16 Jan 2012, 01:28

Thanks for the reply.
I will investigate further.
There has not been a power outage, confirmed by uptime
cheers
Eek

johannes
Posts: 1470
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Iptables restore scheduled?

Post by johannes » 16 Jan 2012, 02:40

Perhaps you (or someone) edited the settings in the web gui?
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)

Eek
Posts: 372
Joined: 23 Dec 2007, 03:03
Location: the Netherlands

Re: Iptables restore scheduled?

Post by Eek » 16 Jan 2012, 11:18

thanks Johannes,
but nobody but me uses the web-gui
and I really don't use it ;-)
I have script running to check every minute a specific iptables entry,
which is not in the firewall.conf
That way i can find out if and when the iptables get restored to the settings in the firewall.conf
cheers
Eek

johannes
Posts: 1470
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Iptables restore scheduled?

Post by johannes » 16 Jan 2012, 11:26

Just found out that a web uptdate on pre 2.3.2 systems would do this as well. Did you do an update?
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)

Eek
Posts: 372
Joined: 23 Dec 2007, 03:03
Location: the Netherlands

Re: Iptables restore scheduled?

Post by Eek » 16 Jan 2012, 11:36

No did not do an update.
I am still on 2.3.1
but good to know it will reset the iptables.
so not suprises there then ;-)
cheers
Eek

johannes
Posts: 1470
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Iptables restore scheduled?

Post by johannes » 16 Jan 2012, 16:49

Then I am out of clues as well. :)
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)

Eek
Posts: 372
Joined: 23 Dec 2007, 03:03
Location: the Netherlands

Re: Iptables restore scheduled?

Post by Eek » 26 Jan 2012, 03:21

Allright,
I found out that indeed something is reverting the iptables configuration back to the iptables in the /etc/network/firewall.conf file.
20120120.23:31:30 Chain pptp (1 references)
20120120.23:31:58

20120122.18:46:14 Chain pptp (1 references)
20120122.18:46:42

20120125.21:12:09 Chain pptp (1 references)
20120125.21:12:37
And saw that also the timestamp on the /etc/network/firewall.conf file had changed,
which made me think, maybe it is not only on that file.
$ find /etc -ls|grep "Jan 25 21:"
540673 4 drwxr-xr-x 98 root root 4096 Jan 25 21:12 /etc
542301 4 -rw-r--r-- 1 root root 48 Jan 25 21:12 /etc/resolv.conf
542193 4 drwxr-xr-x 2 root root 4096 Jan 25 21:12 /etc/samba
541000 0 -rw-r--r-- 1 root root 0 Jan 25 21:12 /etc/samba/dhcp.conf
542102 4 drwxr-xr-x 6 root root 4096 Jan 25 21:12 /etc/network
541327 4 -rw-r--r-- 1 root root 1136 Jan 25 21:12 /etc/network/firewall.conf
Which brought me to this entry in the syslog
Jan 25 21:12:20 b3 dhclient: DHCPREQUEST on eth0 to xyz.xyz.xyz.xyz port 67
Jan 25 21:12:20 b3 dhclient: DHCPACK from xyz.xyz.xyz.xyz
Jan 25 21:12:21 b3 dhclient: bound to xyz.xyz.xyz.xyz -- renewal in 131035 seconds.
So it looks like the dhcp renewal proces is also restoring the iptables config? :twisted:
cheers
Eek

Gordon
Posts: 1373
Joined: 10 Aug 2011, 03:18

Re: Iptables restore scheduled?

Post by Gordon » 26 Jan 2012, 12:31

Actually that makes a lot of sense if you look at the dependencies declared in the bubba-firewall script:

Code: Select all

# X-Start-Before:    ifupdown ifplugd
# X-Stop-After:      ifupdown ifplugd

johannes
Posts: 1470
Joined: 31 Dec 2006, 07:12
Location: Sweden
Contact:

Re: Iptables restore scheduled?

Post by johannes » 26 Jan 2012, 15:07

If I am not completely mistaken ifplugd runs on every plug event, such as boot, link up etc. It should not run just with dhcp renewal by expiry. Can this be the root cause?
/Johannes (Excito co-founder a long time ago, but now I'm just Johannes)

Gordon
Posts: 1373
Joined: 10 Aug 2011, 03:18

Re: Iptables restore scheduled?

Post by Gordon » 26 Jan 2012, 16:01

johannes wrote:If I am not completely mistaken ifplugd runs on every plug event, such as boot, link up etc. It should not run just with dhcp renewal by expiry. Can this be the root cause?
I'd doubt that the log lines shown will be the only ones of interest here. The fact that something appears to have happened with Samba as well would implicate that the DHCP request was the result of a restart of the eth0 device at minimum (or likely all of networking).

Only thing is you'd expect this to trigger a "stop" first and thus change the content of the firewall.conf file. Whether that did not happen was caused by the script misbehaving or some kind of race condition is the intriguing part.

Eek
Posts: 372
Joined: 23 Dec 2007, 03:03
Location: the Netherlands

Re: Iptables restore scheduled?

Post by Eek » 27 Jan 2012, 02:55

Thanks for the replies.
There has to my knowledge not been a restart of the eth0 device nor restarts.
So maybe it is indeed an unexpected behavior
I will investigate the scripts.
cheers
Eek

Eek
Posts: 372
Joined: 23 Dec 2007, 03:03
Location: the Netherlands

Re: Iptables restore scheduled?

Post by Eek » 27 Jan 2012, 16:55

Hi
I think i found it: /etc/dhcp/dhclient-exit-hooks.d/firewall_rewrite

Code: Select all

# Check if this is the right reason and interface for us

if [ "$reason" != "BOUND" ] && [ "$reason" != "RENEW" ] && [ "$reason" != "REBIND" ] ||  [ "$interface" != "eth0" ]

then

	echo "Firwall rewite, nothing todo."

else

	# Update firewall config.
	echo "Update firewall config"
	sed -i "s/PREROUTING -d [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\/[0-9]*/PREROUTING -d $new_ip_address\/32/" /etc/network/firewall.conf
	
	echo "Activate updated firewall config."
	/sbin/iptables-restore /etc/network/firewall.conf

fi
As I understand it: when a RENEW of my eth0 dhcp is needed, it does not save the iptables and then does the clever sed for the PREROUTING, but i uses the file /etc/network/firewall.conf.
Which why my iptables get reset to the default. :mrgreen:
cheers
Eek

Post Reply