fw script fails to load IPv4 rules only @boot

nnn
2011-06-04
2013-03-05
  • nnn
    nnn
    2011-06-04

    Starting D-Bus daemon..done
    [   10.109955] ADDRCONF(NETDEV_UP): tap1: link is not ready
    Setting up (localfs) network interfaces:
        lo        name: LO
        lo        IP address: 127.0.0.1/8
                  IP address: 127.0.0.2/8
    Error while executing:
       Command 'ip -4 route replace to loopback.0.0.0/8 dev lo' returned:
      Error: an inet prefix is expected rather than "loopback.0.0.0/8".
       Configuration line: loopback * 255.0.0.0 lo
        lo
    ..done    eth0      name: ETH0
    At a remote host, I've installed a FWBuidler script, "firewall.fw" with both IPv4 & IPv6 rules.
    It loads & installs without error.  'iptables -L' & 'ip6tables -L' dsiplay what's expected.
    At the remote's shell, I can "sh firewall.fw", again with no error.
    If I create a '/etc/init.d/boot.local' boot script
        #!/bin/sh 
        sh /etc/fw/firewall.fw
    then reboot, the firewall loads at boot as expected, both IPv4 & IPv6.
    If I modify the boot script
        #!/bin/sh
        sh /etc/fw/close.fw
        sh /etc/fw/firewall.fw
    where
        cat /etc/fw/close.fw
            #!/bin/sh
            ADMIN_IP="1.2.3.4/255.255.255.255"
            IPT="/usr/sbin/iptables"
            IP6T="/usr/sbin/ip6tables"
            $IPT  -P INPUT   DROP
            $IPT  -P FORWARD DROP
            $IPT  -P OUTPUT  DROP
            $IP6T -P INPUT   DROP
            $IP6T -P FORWARD DROP
            $IP6T -P OUTPUT  DROP
            $IPT  -F
            $IPT  -X
            $IP6T -F
            $IP6T -X
            $IPT -A INPUT  -p tcp -m tcp -s $ADMIN_IP --dport 22 -m state --state NEW,ESTABLISHED     -j ACCEPT
            $IPT -A OUTPUT -p tcp -m tcp -d $ADMIN_IP --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
    After reboot, 'ip6tables -L' displays the expected rules defined in 'firewall.fw'.
    But 'iptables -L' still reports just what the 1st script, 'close.fw' set.
     iptables -L
      Chain INPUT (policy DROP)
      target     prot opt source     destination
      ACCEPT     tcp  --  1.2.3.4    anywhere      tcp dpt:ssh state NEW,ESTABLISHED
      
      Chain FORWARD (policy DROP)
      target     prot opt source     destination
      
      Chain OUTPUT (policy DROP)
      target     prot opt source     destination
      ACCEPT     tcp  --  anywhere   1.2.3.4       tcp spt:ssh state RELATED,ESTABLISHED
    If I immediately execute 'sh firewall.fw', the "missing" IPv4 rules are loaded, with no error.
    Something's wrong only in the case of having a closed firewall before running the fwbuilder script, and only in the case of the commands executing in the bootup script.
    How can I debug why and where the FWBuilder-generated script is failing in this case?  At the moment, I see no errors in any log in /var/log/* or dmesg.
    
     
  • Vadim Kurland
    Vadim Kurland
    2011-06-05

    you could modify your /etc/init.d/boot.local script to capture the output of the firewall.fw script to some file, then reboot and later inspect the file. Make sure you redirect both stdout and stderr though.