The officially official Devuan Forum!

You are not logged in.

#1 2018-11-23 15:25:16

Phoen7x
Member
Registered: 2018-11-23
Posts: 11  

Devuan + iptables

Hello everybody,
so far I had used Debian.
There I put my iptables rules in a script in the directory /etc/network/if-up.d/iptables_on, like on this page.
Unfortunately, this method does not work with Devuan, there I always get an error message.
How should I ideally apply my iptables rules?

Offline

#2 2018-11-23 18:02:35

arnaiz
Member
From: Leon
Registered: 2018-10-28
Posts: 27  
Website

Re: Devuan + iptables

I dont know if theres are a better method, but I use to store my custom iptables script at /etc/init.d. Basically that script load iptables from /etc/iptables.rules:

cat /etc/init.d/iptables 
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

Then you must link to /etc/rcX.d (by defaul 2)

/etc/rc2.d/S20iptables -> ../init.d/iptables

Offline

#3 2018-11-23 19:11:31

Phoen7x
Member
Registered: 2018-11-23
Posts: 11  

Re: Devuan + iptables

Thank you for answering.

Thats the errormessage:

iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument ` '
Try `iptables -h' or 'iptables --help' for more information.
Bad argument ` '
Try `iptables -h' or 'iptables --help' for more information.

but if i type in every rule, there is no error. ??

The same skript runs finde on my debian/raspbian

Offline

#4 2018-11-23 19:20:45

bbatten
Member
Registered: 2017-07-02
Posts: 30  

Re: Devuan + iptables

@Phoen7x: Looks like what you're doing should work, but bear in mind that scripts in /etc/network/if*.d are run in sort order. So one needs to assign script names so that any dependencies are met.

The way I use to make sure my iptables script is processed in the correct order is to put it in /etc/init.d per @arnauz, then make use of dependency based initialization via the update-rc.d command to sort things out viz /etc/rc?.d.

Hope this helps.

Offline

#5 2018-11-23 19:36:26

Phoen7x
Member
Registered: 2018-11-23
Posts: 11  

Re: Devuan + iptables

Thank you for your advice.

You mean I should move my script into the folder /etc/init.d? I have not quite understood the order and the dependencies?
In my script I'm just releasing ports.

Offline

#6 2018-11-23 21:39:20

arnaiz
Member
From: Leon
Registered: 2018-10-28
Posts: 27  
Website

Re: Devuan + iptables

could you post the script code?

Offline

#7 2018-11-24 13:49:32

arnaiz
Member
From: Leon
Registered: 2018-10-28
Posts: 27  
Website

Re: Devuan + iptables

I have executed this script and in my laptop exit successfully without errors.

But it seems that -m state its deprecated, maybe your iptables version or kernel build dont accept that parameter.

Try to remove or change by -m conntrack --ctstate.

Another way: you can execute line by line in the shell to debug in which exact lines its failing.

Offline

#8 2018-11-24 16:12:22

arnaiz
Member
From: Leon
Registered: 2018-10-28
Posts: 27  
Website

Re: Devuan + iptables

To allow resolve DNS, you must add a line accepting UDP output conections, since DNS protocol uses querys throw UDP:

iptables -A OUTPUT -p udp --dport domain -j ACCEPT

about the script exec problem, also you can debug inserting a previous echo by each iptables command, so you can check on which its failing.

Offline

#9 2018-11-24 16:31:02

Phoen7x
Member
Registered: 2018-11-23
Posts: 11  

Re: Devuan + iptables

arnaiz wrote:

To allow resolve DNS, you must add a line accepting UDP output conections, since DNS protocol uses querys throw UDP:

Oh sorry, i've forgotten to write. I'm runnig an unbound resolver wich forward all traffic to another resolver via DNS-over-TLS (-dport 853), the rule is therefore obsulete.

about the script exec problem, also you can debug inserting a previous echo by each iptables command, so you can check on which its failing.

This is an good idea!

Offline

#10 2018-11-28 23:08:21

Phoen7x
Member
Registered: 2018-11-23
Posts: 11  

Re: Devuan + iptables

After a reinstallation of iptables-persistent, this solution worked for me.
I think my script failed because of the -nat -mangle parameters.

Offline

#11 2018-11-29 16:59:27

arnaiz
Member
From: Leon
Registered: 2018-10-28
Posts: 27  
Website

Re: Devuan + iptables

Im happy was helpful.

Offline

Board footer