IPTABLES being overwritten

[ezduzit]

I am using a Bubba 3 as a wireless access point and router syslog. As a consequence I have added a few iptables statements to the original and enabled them by iptables-restore < myiptablesrules. An iptables -L confirms the activation of my new rules. After a short time another iptables -L reveals the original bubba table has been restored and my changes overwritten.

Any body know what process is causing this restoration of the original rules, or alternatively where the original Bubba firewall statements are kept so I can modify them if it insists on playing its silly games

[RandomUsername]

Yeah, it's overwritten every time the DHCP client renews its lease.

Is there a reason you don't add these rules with the web interface? If you do, it would mitigate this problem I think.

Your problem is discussed here: http://forum.excito.net/viewtopic.php?f=9&t=4265.

The solution I proposed (adding /sbin/iptables-save > /etc/network/firewall.conf to /etc/dhcp/dhclient-exit-hooks.d/firewall_rewrite) works for me but I don't manually edit my iptables rules so YMMV, and be careful you don't block yourself.

[stasheck]

ezduzit, I think you're doing it the wrong way (or I misunderstood something).

For reference: in my config, eth0 is running dhcp-client, and eth1 dhcp server.

I am always adding iptables rules to live config first, so in case I mess something up I can always just reload the box. After checking that all is working as desired, I simply do 'iptables-save >/etc/network/firewall.conf'.

Now here is the part I'm not sure about: I did not try to edit firewall from webgui after that, so I'm not sure if it won't get overwritten.

And the reason for me not to use WebGUI to add the rules is that they are specifically set to block SSH for 1 minute after 3 failed login attempts:

Code: Select all

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH --rsource -j DROP 

(this goes in after '-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT ')

[Gordon]

Do make a note that the shutdown command of the bubba-firewall service file stores the current active firewall settings. As a result, if you shut yourself out, then rebooting the B3 will not fix that. You will either need the rescue stick or you should kill the power with the B3 still running. Obviously the latter can cause corruption on open files.

[Ubi]

On trick i once learned was to first write a good firewall status to a file usingiptables-save, before you start messing with firewall rules, Then make a cronjob that does iptables-restore with that saved iptables file. If you put this cronjob in cron-daily you can only lock yourself out for a day. Alternatively use the at deamon to run iptables restore at a specific point in time so you know you can mess up but still access the machine at a known time.

[RandomUsername]

Good idea. I would set it in crontab to run @reboot though.

[Gordon]

Well, as you guys know I replaced the init-V script with one that does not save the current firewall state on shutdown (it has an on-off switch for this bahaviour)