Dev1 Galaxy Forum / Devuan + iptables

Re: Devuan + iptables

dummy@example.com (arnaiz) — Thu, 29 Nov 2018 16:59:27 +0000

Im happy was helpful.

Re: Devuan + iptables

dummy@example.com (Phoen7x) — Wed, 28 Nov 2018 23:08:21 +0000

After a reinstallation of iptables-persistent, this solution worked for me.
I think my script failed because of the -nat -mangle parameters.

Re: Devuan + iptables

dummy@example.com (Phoen7x) — Sat, 24 Nov 2018 16:31:02 +0000

arnaiz wrote:

To allow resolve DNS, you must add a line accepting UDP output conections, since DNS protocol uses querys throw UDP:

Oh sorry, i've forgotten to write. I'm runnig an unbound resolver wich forward all traffic to another resolver via DNS-over-TLS (-dport 853), the rule is therefore obsulete.

about the script exec problem, also you can debug inserting a previous echo by each iptables command, so you can check on which its failing.

This is an good idea!

Re: Devuan + iptables

dummy@example.com (arnaiz) — Sat, 24 Nov 2018 16:12:22 +0000

To allow resolve DNS, you must add a line accepting UDP output conections, since DNS protocol uses querys throw UDP:

iptables -A OUTPUT -p udp --dport domain -j ACCEPT

about the script exec problem, also you can debug inserting a previous echo by each iptables command, so you can check on which its failing.

Re: Devuan + iptables

dummy@example.com (arnaiz) — Sat, 24 Nov 2018 13:49:32 +0000

I have executed this script and in my laptop exit successfully without errors.

But it seems that -m state its deprecated, maybe your iptables version or kernel build dont accept that parameter.

Try to remove or change by -m conntrack --ctstate.

Another way: you can execute line by line in the shell to debug in which exact lines its failing.

Re: Devuan + iptables

dummy@example.com (arnaiz) — Fri, 23 Nov 2018 21:39:20 +0000

could you post the script code?

Re: Devuan + iptables

dummy@example.com (Phoen7x) — Fri, 23 Nov 2018 19:36:26 +0000

Thank you for your advice.

You mean I should move my script into the folder /etc/init.d? I have not quite understood the order and the dependencies?
In my script I'm just releasing ports.

Re: Devuan + iptables

dummy@example.com (bbatten) — Fri, 23 Nov 2018 19:20:45 +0000

@Phoen7x: Looks like what you're doing should work, but bear in mind that scripts in /etc/network/if*.d are run in sort order. So one needs to assign script names so that any dependencies are met.

The way I use to make sure my iptables script is processed in the correct order is to put it in /etc/init.d per @arnauz, then make use of dependency based initialization via the update-rc.d command to sort things out viz /etc/rc?.d.

Hope this helps.

Re: Devuan + iptables

dummy@example.com (Phoen7x) — Fri, 23 Nov 2018 19:11:31 +0000

Thank you for answering.

Thats the errormessage:

iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument ` '
Try `iptables -h' or 'iptables --help' for more information.
Bad argument ` '
Try `iptables -h' or 'iptables --help' for more information.

but if i type in every rule, there is no error. ??

The same skript runs finde on my debian/raspbian

Re: Devuan + iptables

dummy@example.com (arnaiz) — Fri, 23 Nov 2018 18:02:35 +0000

I dont know if theres are a better method, but I use to store my custom iptables script at /etc/init.d. Basically that script load iptables from /etc/iptables.rules:

cat /etc/init.d/iptables 
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

Then you must link to /etc/rcX.d (by defaul 2)

/etc/rc2.d/S20iptables -> ../init.d/iptables

Devuan + iptables

dummy@example.com (Phoen7x) — Fri, 23 Nov 2018 15:25:16 +0000

Hello everybody,
so far I had used Debian.
There I put my iptables rules in a script in the directory /etc/network/if-up.d/iptables_on, like on this page.
Unfortunately, this method does not work with Devuan, there I always get an error message.
How should I ideally apply my iptables rules?