0

I need some help, or advice.

I have a latest server I am trying to get into production and I cannot get it to load its rules on a reboot.

"Debian GNU/Linux 10 (buster)" it is up to date in its packages

I have installed iptables-persistent, I have ran dpkg-reconfigure iptables-persistent, and it does save the rules in /etc/iptables

I have the following in the folder rules.v4 rules.v6

On a reboot it will not load my rules. IF I do this below, it works just fine! IT will just not do this for me on reboot.

iptables-restore < /etc/iptables/rules.v4

I have tried following many leads online, starting from these.

Why do iptables rules disappear when restarting my Debian system?

Why isn't the Iptables persistent service saving my changes?

I don't know what I am doing wrong. I do have fail2ban installed and working. I can't see this conflicting, but on boot they both would be working with iptables...

Are there ways to view the iptables logs? Does it log to journalctl? I cannot find any msges that can give me an idea why it is not working.

These rules gotta load on boot. Someone did mention to load this in /etc/rc.local, which I am unfamiliar with, that file is not there on Debian, and some have explained to just stick with iptables-persistent, which I would tend to agree with.

Why do iptables rules disappear when restarting my Debian system?

Any help is appreciated, or logs to iptables if any.

This is my boot logs when I try a reboot journalctl -f -unetfilter-persistent

Jan 02 15:09:06 domain.ca netfilter-persistent[720]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Jan 02 15:09:06 domain.ca systemd[1]: Started netfilter persistent configuration.
Jan 02 15:09:50 domain.ca systemd[1]: Stopping netfilter persistent configuration...
Jan 02 15:09:50 domain.ca netfilter-persistent[1434]: Automatic flush disabled; use '/usr/sbin/netfilter-persistent flush'
Jan 02 15:09:50 domain.ca systemd[1]: netfilter-persistent.service: Succeeded.
Jan 02 15:09:50 domain.ca systemd[1]: Stopped netfilter persistent configuration.
Jan 02 15:09:50 domain.ca systemd[1]: Starting netfilter persistent configuration...
Jan 02 15:09:50 domain.ca netfilter-persistent[1436]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Jan 02 15:09:50 domain.ca netfilter-persistent[1436]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Jan 02 15:09:50 domain.ca systemd[1]: Started netfilter persistent configuration.
gstlouis
  • 65
  • Not strictly related to your question, but I would suggest you to migrate to nftables as iptables is deprecated, less and less maintained and absent from recent Linux distributions by default. Also, nftables has a built-in systemd nftables.service for creating your ruleset (from /etc/nftables.conf) automatically during boot. – Totor Dec 27 '22 at 18:23
  • @Totor In Debian 10 and later, the iptables package contains two versions of iptables command: iptables-legacy actually uses the iptables kernel components, but the default iptables-nft actually uses nftables although the command syntax is identical to iptables. What you get with just iptables is switchable with sudo update-alternatives --config iptables - but at least Debian 11 and I think 10 too will default to the nftables version. – telcoM Dec 29 '22 at 21:21
  • @telcoM Sure. Still, this is a transition mechanism for a legacy tool. It could be used to convert a ruleset to nft though (using nft list ruleset to dump the nftables config once your firewall is configured as you like). Then, use the default mechanism (systemd nftables.service) to start it at boot. – Totor Jan 02 '23 at 03:04

2 Answers2

0

Iptables interacts with Linux netfilter in the background:

Install iptables-persistent packages

$ sudo iptables-persistent -y

Start and enable iptables-persistent service

$ sudo systemctl enable --now netfilter-persistent.service

To save the netfilter/iptables rules:

$ sudo netfilter-persistent save
Bruce Malaudzi
  • 1,589
  • Hi Thanks for your comment. But I've tried all these, as per the links I've posted. None of them work. If I do systemctl restart netfilter-persistent however, it works. So basically the service is loading too fast from what I can understand. I just can't figure out how to fix – gstlouis Jan 02 '23 at 20:11
  • @gstlouis, obviously this has been a while, but I've just been debugging a similar problem and it was caused by my having a hostname in the rules file instead of an ip address. I guess the rules are being applied before the dns server comes up? Chaging to an ip address solved the problem for me. – Dan Nov 13 '23 at 16:31
  • @Dan Thanks for the comment. So to make sure I understand, if I go into /etc/iptables/rules.v4 which is what iptables will fetch to load when booting I should be looking for any DNS naming instead of ip? Because if I do a vim /etc/iptables/rules.v4 I do not see any dns names in my rules. – gstlouis Nov 21 '23 at 02:03
  • @gstlouis yes, using domains instead of ips was the cause for me – Dan Nov 22 '23 at 12:36
0

So. After all this time to spend on this. The only I got it working was to set the restore in rc.local with a sleep 1. There is something on this machine that is taking time to load, as in the network or something.

I have tried editing the daemon in persistent to load later after other components from a thread I read. Nothing worked.

Finally, on Debian, you can enable rc.local systemctl enable rc.local, once this services started, I went into its file vim /etc/rc.local and added the following

#!/bin/bash
# This script is executed at the end of each multiuser runlevel
sleep 1
/sbin/iptables-restore < /etc/iptables/rules.v4
# bash /root/restore.sh
exit 0

After a reboot, all my rules are up. I think the better solution is as others have mentioned to move to another firewall since iptables will be deprecated. But I have complicated rules and no time.

Pablo A
  • 2,712
gstlouis
  • 65