iptables- restore issue

Support for security such as Firewalls and securing linux
mania
Posts: 49
Joined: 2020/12/19 05:55:37

iptables- restore issue

Post by mania » 2021/09/15 06:25:43

Hi,
I have an installed centos7.6.1810 (3.10.0-957.e17.x86_64 kernel) and got below error in result of iptables-restore command.How can I address this issue?


sudo iptables-restore < /etc/firewalld/iptables-template.txt -v
# Completed on Thu Aug 1 12:00:06 2013
# Generated by iptables-save v1.4.6 on Thu Aug 1 12:00:06 2013
'ptables-restore v1.4.21: iptables-restore: unable to initialize table 'filter

Error occurred at line: 3
Try `iptables-restore -h' or 'iptables-restore --help' for more information.



lsmod | grep iptable
iptable_nat 12875 1
nf_nat_ipv4 14115 1 iptable_nat
iptable_mangle 12695 1
iptable_security 12705 1
iptable_raw 12678 1
iptable_filter 12810 1
ip_tables 27126 5 iptable_security,iptable_filter,iptable_mangle,iptable_nat,iptable_raw

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables- restore issue

Post by TrevorH » 2021/09/15 08:46:58

I have an installed centos7.6.1810 (3.10.0-957.e17.x86_64 kernel) and got below error in result of iptables-restore command.How can I address this issue?
You are badly out of date on that system - CentOS 7.6 is 3 years out of date. Run yum update once you've fixed your current problem and get yourself up to date. There are numerous high severity security vulnerabilities in 7.6.

What is the content of your /etc/firewalld/iptables-template.txt file?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mania
Posts: 49
Joined: 2020/12/19 05:55:37

Re: iptables- restore issue

Post by mania » 2021/09/15 10:05:41

Although I got error in result of iptables - restore , I found the rules which was written in my txt file in /etc/firewalld/iptables-templates.txt and also I can not see my rules in output of iptables - nL command. In addition, I have no internet accesss to update the server

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables- restore issue

Post by jlehtone » 2021/09/15 14:39:27

mania wrote:
2021/09/15 10:05:41
Although I got error in result of iptables - restore , I found the rules which was written in my txt file in /etc/firewalld/iptables-templates.txt and also I can not see my rules in output of iptables - nL command.
You have something in /etc/firewalld/iptables-templates.txt
Restore fails. Obviously, the kernel will not have rules which the restore failed to add.

What is in /etc/firewalld/iptables-templates.txt ?

mania
Posts: 49
Joined: 2020/12/19 05:55:37

Re: iptables- restore issue

Post by mania » 2021/09/16 10:02:49

Hi again,
As I mentioned, I found my rules which I wrote in a file to restore them by iptables-restore command in iptables-templates.txt file. Is it related to that error?

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables- restore issue

Post by TrevorH » 2021/09/16 11:06:41

Third time of asking: please post the contents of that iptables-templates.txt file.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mania
Posts: 49
Joined: 2020/12/19 05:55:37

Re: iptables- restore issue

Post by mania » 2021/09/18 07:28:34

# Completed on Thu Aug 1 12:00:06 2013
# Generated by iptables-save v1.4.6 on Thu Aug 1 12:00:06 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 995 -j ACCEPT
-A INPUT -s 192.168.10.122/32 -p tcp -m tcp --sport 161 -j ACCEPT
-A INPUT -s 192.168.10.122/32 -p udp -m udp --sport 162 -j ACCEPT
-A INPUT -s 192.168.10.0/21 -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -s 192.168.10.47/32,192.168.10.34/32,192.168.10.35/32,192.168.10.40/32,192.168.10.39/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -d 192.168.10.122/32 -p tcp -m tcp --dport 161 -j ACCEPT
-A OUTPUT -d 192.168.10.122/32 -p udp -m udp --dport 162 -j ACCEPT
-A OUTPUT -d 192.168.10.0/21 -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -d 192.168.254.4/32 -p tcp --dport 53 -m tcp -j ACCEPT
-A OUTPUT -d 192.168.254.4/32 -p udp --dport 53 -m udp -j ACCEPT
-A OUTPUT -d 192.168.10.47/32,192.168.10.34/32,192.168.10.35/32,192.168.10.40/32,192.168.10.39/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Aug 1 12:00:06 2013

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: iptables- restore issue

Post by Whoever » 2021/09/18 16:03:55

I don't see the problem you are looking for, but I can tell you that you need to modify or eliminate most of your INPUT rules and replace them with a rule that uses "related,established" to identify the packets that are returning from the outgoing connections.
Last edited by Whoever on 2021/09/19 01:35:23, edited 1 time in total.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables- restore issue

Post by TrevorH » 2021/09/18 16:42:25

Is this a real system or some sort of container?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables- restore issue

Post by jlehtone » 2021/09/18 16:44:20

Code: Select all

-A INPUT -s 192.168.10.47/32,192.168.10.34/32,192.168.10.35/32,192.168.10.40/32,192.168.10.39/32 -p tcp -m tcp --dport 22 -j ACCEPT
man iptables wrote:[!] -s, --source address[/mask][,...]
Source specification. ... Multiple addresses can be specified, but this will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D).
Typically the iptables-restore reads output of iptables-save. The iptables-save writes out rules from kernel. The man-page excerpt above says that the 'iptables' command will not load one rule to kernel, but five:

Code: Select all

INPUT -s 192.168.10.47/32 -p tcp -m tcp --dport 22 -j ACCEPT
INPUT -s 192.168.10.34/32-p tcp -m tcp --dport 22 -j ACCEPT
INPUT -s 192.168.10.35/32 -p tcp -m tcp --dport 22 -j ACCEPT
INPUT -s 192.168.10.40/32 -p tcp -m tcp --dport 22 -j ACCEPT
INPUT -s 192.168.10.39/32 -p tcp -m tcp --dport 22 -j ACCEPT
My guess is that iptables-restore does not accept multiple addresses in one rule.

Overall, it is better to load all rules to kernel first, test, and then write the "template" with 'iptables-save'. Then you know that they are in the format that 'iptables-restore' can accept.


I do agree with Whoever, the ruleset in the template as a whole is very suspicious; it might have good intentions, but might not do what one expects.

Post Reply