netfilter-persistente debian jessie ipv6 issue

2

Não consigo salvar novas regras Regras do IPv4 com o netfilter-persistent. Eu recebo o seguinte erro:

May 10 19:41:53 debian systemd[1]: Starting netfilter persistent configuration...
-- Subject: Unit netfilter-persistent.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit netfilter-persistent.service has begun starting up.
May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 2
May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
May 10 19:41:53 debian systemd[1]: netfilter-persistent.service: main process exited, code=exited, status=1/FAILURE
May 10 19:41:53 debian systemd[1]: Failed to start netfilter persistent configuration.
-- Subject: Unit netfilter-persistent.service has failed

Este é o script a seguir que está falhando:

#!/bin/sh

# This file is part of netfilter-persistent
# (was iptables-persistent)
# Copyright (C) 2009, Simon Richter <[email protected]>
# Copyright (C) 2010, 2014 Jonathan Wiltshire <[email protected]>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, either version 3
# of the License, or (at your option) any later version.

exit 0

set -e

rc=0

load_rules()
{
        #load IPv6 rules
        if [ ! -f /etc/iptables/rules.v6 ]; then
                echo "Warning: skipping IPv6 (no rules to load)"
                exit 0
        else
                ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi
}

save_rules()
{
        #save IPv6 rules
        #need at least ip6table_filter loaded:
        /sbin/modprobe -q ip6table_filter
        if [ ! -f /proc/net/ip6_tables_names ]; then
                log_action_cont_msg "Warning: skipping IPv6 (no modules loaded)"
        elif [ -x /sbin/ip6tables-save ]; then
                touch /etc/iptables/rules.v6
                chmod 0640 /etc/iptables/rules.v6
                ip6tables-save > /etc/iptables/rules.v6
                if [ $? -ne 0 ]; then
                        rc=1
                fi
        fi
}

flush_rules()
{
        if [ ! -f /proc/net/ip6_tables_names ]; then
                echo "Warning: skipping IPv6 (no module loaded)"
        elif [ -x /sbin/ip6tables ]; then
                for param in F Z X; do /sbin/ip6tables -$param; done
                for table in $(cat /proc/net/ip6_tables_names)
                do
                        /sbin/ip6tables -t $table -F
                        /sbin/ip6tables -t $table -Z
                        /sbin/ip6tables -t $table -X
                done
                for chain in INPUT FORWARD OUTPUT
                do
                        /sbin/ip6tables -P $chain ACCEPT
                done
        fi
}

case "$1" in
start|restart|reload|force-reload)
        load_rules
        ;;
save)
        save_rules
        ;;
stop)
        # Why? because if stop is used, the firewall gets flushed for a variable
        # amount of time during package upgrades, leaving the machine vulnerable
        # It's also not always desirable to flush during purge
        echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
        ;;
flush)
        flush_rules
        ;;
*)
    echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
    exit 1
    ;;
esac

exit $rc
    
por WAS 11.05.2017 / 02:45

1 resposta

1

Correção rápida

No meu caso, eu tenho uma regra quebrada com -j ULOG no arquivo /etc/iptables/rules.v4 . Remover essa linha e reexecutar apt-get upgrade corrigiu o problema para mim.

Como depurar

O erro está aqui:

May 10 19:41:53 debian netfilter-persistent[3099]: run-parts: /usr/share/netfilter-persistent/plugins.d/15-ip4tables exited with return code 2

Você pode executá-lo como root para depurá-lo:

/usr/share/netfilter-persistent/plugins.d/15-ip4tables start

Após verificar a origem de /usr/share/netfilter-persistent/plugins.d/15-ip4tables , este foi o comando suspeito com defeito:

/sbin/iptables-restore < /etc/iptables/rules.v4 2> /dev/null

Yu pode rodar sozinho também:

/sbin/iptables-restore -v < /etc/iptables/rules.v4

A linha quebrada relatada era inútil, então eu apenas corro as linhas em um shell com um prefixo 'iptables' para obter algo útil. Por exemplo, para linha

-A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT

você pode correr

iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
    
por 15.12.2017 / 11:37