fw script fails to load IPv4 rules only @boot

Anonymous
2011-06-04
2013-03-05
  • Anonymous - 2011-06-04
    Starting D-Bus daemon..done
    [   10.109955] ADDRCONF(NETDEV_UP): tap1: link is not ready
    Setting up (localfs) network interfaces:
        lo        name: LO
        lo        IP address: 127.0.0.1/8
                  IP address: 127.0.0.2/8
    Error while executing:
       Command 'ip -4 route replace to loopback.0.0.0/8 dev lo' returned:
      Error: an inet prefix is expected rather than "loopback.0.0.0/8".
       Configuration line: loopback * 255.0.0.0 lo
        lo
    ..done    eth0      name: ETH0
    At a remote host, I've installed a FWBuidler script, "firewall.fw" with both IPv4 & IPv6 rules.
    It loads & installs without error.  'iptables -L' & 'ip6tables -L' dsiplay what's expected.
    At the remote's shell, I can "sh firewall.fw", again with no error.
    If I create a '/etc/init.d/boot.local' boot script
        #!/bin/sh 
        sh /etc/fw/firewall.fw
    then reboot, the firewall loads at boot as expected, both IPv4 & IPv6.
    If I modify the boot script
        #!/bin/sh
        sh /etc/fw/close.fw
        sh /etc/fw/firewall.fw
    where
        cat /etc/fw/close.fw
            #!/bin/sh
            ADMIN_IP="1.2.3.4/255.255.255.255"
            IPT="/usr/sbin/iptables"
            IP6T="/usr/sbin/ip6tables"
            $IPT  -P INPUT   DROP
            $IPT  -P FORWARD DROP
            $IPT  -P OUTPUT  DROP
            $IP6T -P INPUT   DROP
            $IP6T -P FORWARD DROP
            $IP6T -P OUTPUT  DROP
            $IPT  -F
            $IPT  -X
            $IP6T -F
            $IP6T -X
            $IPT -A INPUT  -p tcp -m tcp -s $ADMIN_IP --dport 22 -m state --state NEW,ESTABLISHED     -j ACCEPT
            $IPT -A OUTPUT -p tcp -m tcp -d $ADMIN_IP --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
    After reboot, 'ip6tables -L' displays the expected rules defined in 'firewall.fw'.
    But 'iptables -L' still reports just what the 1st script, 'close.fw' set.
     iptables -L
      Chain INPUT (policy DROP)
      target     prot opt source     destination
      ACCEPT     tcp  --  1.2.3.4    anywhere      tcp dpt:ssh state NEW,ESTABLISHED
      
      Chain FORWARD (policy DROP)
      target     prot opt source     destination
      
      Chain OUTPUT (policy DROP)
      target     prot opt source     destination
      ACCEPT     tcp  --  anywhere   1.2.3.4       tcp spt:ssh state RELATED,ESTABLISHED
    If I immediately execute 'sh firewall.fw', the "missing" IPv4 rules are loaded, with no error.
    Something's wrong only in the case of having a closed firewall before running the fwbuilder script, and only in the case of the commands executing in the bootup script.
    How can I debug why and where the FWBuilder-generated script is failing in this case?  At the moment, I see no errors in any log in /var/log/* or dmesg.
    
     
  • Vadim Kurland

    Vadim Kurland - 2011-06-05

    you could modify your /etc/init.d/boot.local script to capture the output of the firewall.fw script to some file, then reboot and later inspect the file. Make sure you redirect both stdout and stderr though.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks