Menu
▾
▴
#63 pglcmd start or restart random fail in log - works ok after trying many times quickly - started recently Ubuntu 14.04 x64
Hi All,
All of a sudden on two servers, PGL has issues starting and stopping:
Here's the log:
2017-02-26 02:25:19 MST Begin: pglcmd restart
Stopping pglcmd.wd [ OK ]
Deleting iptables ...
Iptables deleted.
Stopping pgld [ OK ]
Building blocklist ...
WARN: No valid ASCII blocklist format line:
INFO: ASCII: 180797 entries loaded from "STDIN"
INFO: Merged 94863 of 180797 entries.
INFO: Blocking 85934 IP ranges (9593501 IPs).
Blocklist built.
Inserting iptables ...
..Setting up iptables for INPUT:
....Creating chainiptables: Chain already exists.
[fail]
Deleting iptables ...
..Executing iptables remove script /usr/local/var/lib/pgl/.pglcmd.iptables.remov e.sh [ OK ]
..Removing iptables remove script /usr/local/var/lib/pgl/.pglcmd.iptables.remove .sh [ OK ]
Iptables deleted.
root@ubuchi:/usr/local/var/log/pgl# pglcmd restart
* Restarting PeerGuardian Linux pgld [fail]
root@ubuchi:/usr/local/var/log/pgl# pglcmd restart
* Restarting PeerGuardian Linux pgld [fail]
root@ubuchi:/usr/local/var/log/pgl# pglcmd restart
* Restarting PeerGuardian Linux pgld [ OK ]
If I keep trying to restart it, eventually it will work as shown in the last part of my log. pglcmd status shows it running too when I get it to work. pglcmd stop always seems to work. pglcmd start seems to fail randomly where a blank line in the log shows nothing.
I'm running Ubuntu 14.04 x64 with the latest updates. This issue wasn't happening until the last few days. Any idea what might be going on?
Hi,
no, absolutely no idea. Generally, for Ubuntu I'd recommend to use the pre-built packages from my PPA - but since it was working before I doubt that you have a broken installation.
Did you change any configuration (in pgl or anything networking related)?
~~~~~
..Setting up iptables for INPUT:
....Creating chainiptables: Chain already exists.
~~~~~~
--> The iptables chain pgl_in can't be created because it still exists from a previous run. But ususally on every start pgl creates a file .pglcmd.iptables.remove to remember to delete this chain. Maybe you have installed anything that also takes care of iptables rules and always readds this chain, although it shouldn't.
I keep seeing a lot of these messages as well:
Does this look right in terms of the chain pgl has built (sensitive IPs removed):
It looks like my servers keep going down randomly until I flush IPtables (they don't accept any incoming traffic at all). Not sure what's going on, but I am using Fail2Ban, PGL, and am banning IP addresses using a script I've written. Evidently, one of my servers has 11,000 iptables rules after about 8 hours. I'm wondering if maybe I have too many? In any event, right after flushing iptables, pglcmd restart still doesn't want to work.
What's going on when it outputs "fail"? Why would the xtables be locked?
So that's the issue, something holds a xtables lock (never heard of xtables locks before).
11,000 iptables rules indeed sounds problematic - that's why PG was written years ago to handle large amounts of IPs to be blocked. In the meantime much changed (I'm unfortunately not up to date), but generally I think you might have to decide for one system. So either move your script thing to make PG lists, or look into using some modern implication, e.g. ipset.
Between you issuing the flush-command and the iptables really being flushed might be quite some time. I think the problem is really the 11,000 rules.
About your setup: pgl_fwd will not block anything because in your network traffic will always be sent to or from your hosts, so your rule always matches.
Besides what you posted looks good on a very quick glance. However e.g. in OUTPUT you need a rule that sends traffic to pgl_out, for pgl to work.
These days it would be worth looking into nftables instead. It's ramping up to totally replace {ip,ip6,arp,eb}tables, and one thing touted about it is much increased performance of rule-checking, it's not strictly linear like *tables.
Edit: Oops, forgot the URL https://netfilter.org/projects/nftables/
Last edit: Athanasius 2017-02-27
I wouldn't know what to do without PeerGuardian for my Linux servers, so if this could be updated to work with the latest stuff, that would be awesome! As for who's responsible for breaking iptables... well, it appears to be PeerGuardian or the blocklist I linked to. I disabled PeerGuardian for now until I can figure out what's going on and stopped pulling the list from blocklist.de. I am just using Fail2Ban and a list of manually banned IP addresses I've created.
Maybe PGL should use the -w option if xtables is enabled?
I'd be willing to donate some funds for development... wouldn't be much, but it mgiht help. We very much still need applications like PeerGuardian and PeerBlock (for Windows) these days.
No promises at all, since I didn't work on pgl for more than a year and don't know at all if/when I will resume work. On the other side this issue may be a lowhanging fruit to motivate me working on this again. If I set up something for donations I'll tell you ;)
TODO pgl development:
short-run: try "iptables -w"
medium: replace "iptables" with "nft"
long run (probably): replace pgld with ipset
I converted everything over to PGL's list format and updated Fail2Ban to use the -w flag with iptables. That should remove any conflicts from happening, but I'm still having problems on one of my servers. The other seems to be happy after converting it over the same way.
I'm still running into the above issue where it outputs fail without any information when trying to start or restart pglcmd on the problematic server. It eventually works if I call restart and stop enough times. Here's how I installed and compiled it on Ubuntu 14.04 on the server where it's having problems (I did it a little differently on the server that is working, but I can't remember the differences):
http://blog.eamster.tk/?p=471 (didn't use instructions for 12.04 and older or 16.04)
Last edit: Eric 2017-03-11