Iptables restore scheduled?

[Eek]

Hi

Maybe it is something I do !?
but lately I noticed that "suddenly" my iptables was restored
to the settings in the /etc/network/firewall.conf

Is there a scheduled script that does this?

[Gordon]

I don't think so. Maybe you had a power outage?

[Ubi]

there is no scheduled script in the default distro afaik. Power hiccup seems most logical, and can be detected with uptime

[Eek]

Thanks for the reply.
I will investigate further.
There has not been a power outage, confirmed by uptime

[johannes]

Perhaps you (or someone) edited the settings in the web gui?

[Eek]

thanks Johannes,
but nobody but me uses the web-gui
and I really don't use it
I have script running to check every minute a specific iptables entry,
which is not in the firewall.conf
That way i can find out if and when the iptables get restored to the settings in the firewall.conf

[johannes]

Just found out that a web uptdate on pre 2.3.2 systems would do this as well. Did you do an update?

[Eek]

No did not do an update.
I am still on 2.3.1
but good to know it will reset the iptables.
so not suprises there then

[johannes]

Then I am out of clues as well.

[Eek]

Allright,
I found out that indeed something is reverting the iptables configuration back to the iptables in the /etc/network/firewall.conf file.

20120120.23:31:30 Chain pptp (1 references)
20120120.23:31:58

20120122.18:46:14 Chain pptp (1 references)
20120122.18:46:42

20120125.21:12:09 Chain pptp (1 references)
20120125.21:12:37

And saw that also the timestamp on the /etc/network/firewall.conf file had changed,
which made me think, maybe it is not only on that file.

$ find /etc -ls|grep "Jan 25 21:"
540673 4 drwxr-xr-x 98 root root 4096 Jan 25 21:12 /etc
542301 4 -rw-r--r-- 1 root root 48 Jan 25 21:12 /etc/resolv.conf
542193 4 drwxr-xr-x 2 root root 4096 Jan 25 21:12 /etc/samba
541000 0 -rw-r--r-- 1 root root 0 Jan 25 21:12 /etc/samba/dhcp.conf
542102 4 drwxr-xr-x 6 root root 4096 Jan 25 21:12 /etc/network
541327 4 -rw-r--r-- 1 root root 1136 Jan 25 21:12 /etc/network/firewall.conf

Which brought me to this entry in the syslog

Jan 25 21:12:20 b3 dhclient: DHCPREQUEST on eth0 to xyz.xyz.xyz.xyz port 67
Jan 25 21:12:20 b3 dhclient: DHCPACK from xyz.xyz.xyz.xyz
Jan 25 21:12:21 b3 dhclient: bound to xyz.xyz.xyz.xyz -- renewal in 131035 seconds.

So it looks like the dhcp renewal proces is also restoring the iptables config?

[Gordon]

Actually that makes a lot of sense if you look at the dependencies declared in the bubba-firewall script:

Code: Select all

# X-Start-Before:    ifupdown ifplugd
# X-Stop-After:      ifupdown ifplugd

[johannes]

If I am not completely mistaken ifplugd runs on every plug event, such as boot, link up etc. It should not run just with dhcp renewal by expiry. Can this be the root cause?

[Gordon]

If I am not completely mistaken ifplugd runs on every plug event, such as boot, link up etc. It should not run just with dhcp renewal by expiry. Can this be the root cause?

I'd doubt that the log lines shown will be the only ones of interest here. The fact that something appears to have happened with Samba as well would implicate that the DHCP request was the result of a restart of the eth0 device at minimum (or likely all of networking).

Only thing is you'd expect this to trigger a "stop" first and thus change the content of the firewall.conf file. Whether that did not happen was caused by the script misbehaving or some kind of race condition is the intriguing part.

[Eek]

Thanks for the replies.
There has to my knowledge not been a restart of the eth0 device nor restarts.
So maybe it is indeed an unexpected behavior
I will investigate the scripts.

[Eek]

Hi
I think i found it: /etc/dhcp/dhclient-exit-hooks.d/firewall_rewrite

Code: Select all

# Check if this is the right reason and interface for us

if [ "$reason" != "BOUND" ] && [ "$reason" != "RENEW" ] && [ "$reason" != "REBIND" ] ||  [ "$interface" != "eth0" ]

then

	echo "Firwall rewite, nothing todo."

else

	# Update firewall config.
	echo "Update firewall config"
	sed -i "s/PREROUTING -d [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\/[0-9]*/PREROUTING -d $new_ip_address\/32/" /etc/network/firewall.conf
	
	echo "Activate updated firewall config."
	/sbin/iptables-restore /etc/network/firewall.conf

fi

As I understand it: when a RENEW of my eth0 dhcp is needed, it does not save the iptables and then does the clever sed for the PREROUTING, but i uses the file /etc/network/firewall.conf.
Which why my iptables get reset to the default.