Devuan + iptables

Phoen7x · 2018-11-23 15:25:16

Hello everybody,
so far I had used Debian.
There I put my iptables rules in a script in the directory /etc/network/if-up.d/iptables_on, like on this page.
Unfortunately, this method does not work with Devuan, there I always get an error message.
How should I ideally apply my iptables rules?

arnaiz · 2018-11-23 18:02:35

I dont know if theres are a better method, but I use to store my custom iptables script at /etc/init.d. Basically that script load iptables from /etc/iptables.rules:

cat /etc/init.d/iptables 
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

Then you must link to /etc/rcX.d (by defaul 2)

/etc/rc2.d/S20iptables -> ../init.d/iptables

Phoen7x · 2018-11-23 19:11:31

Thank you for answering.

Thats the errormessage:

iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument ` '
Try `iptables -h' or 'iptables --help' for more information.
Bad argument ` '
Try `iptables -h' or 'iptables --help' for more information.

but if i type in every rule, there is no error. ??

The same skript runs finde on my debian/raspbian

bbatten · 2018-11-23 19:20:45

@Phoen7x: Looks like what you're doing should work, but bear in mind that scripts in /etc/network/if*.d are run in sort order. So one needs to assign script names so that any dependencies are met.

The way I use to make sure my iptables script is processed in the correct order is to put it in /etc/init.d per @arnauz, then make use of dependency based initialization via the update-rc.d command to sort things out viz /etc/rc?.d.

Hope this helps.

Phoen7x · 2018-11-23 19:36:26

Thank you for your advice.

You mean I should move my script into the folder /etc/init.d? I have not quite understood the order and the dependencies?
In my script I'm just releasing ports.

arnaiz · 2018-11-23 21:39:20

could you post the script code?

arnaiz · 2018-11-24 13:49:32

I have executed this script and in my laptop exit successfully without errors.

But it seems that -m state its deprecated, maybe your iptables version or kernel build dont accept that parameter.

Try to remove or change by -m conntrack --ctstate.

Another way: you can execute line by line in the shell to debug in which exact lines its failing.

arnaiz · 2018-11-24 16:12:22

To allow resolve DNS, you must add a line accepting UDP output conections, since DNS protocol uses querys throw UDP:

iptables -A OUTPUT -p udp --dport domain -j ACCEPT

about the script exec problem, also you can debug inserting a previous echo by each iptables command, so you can check on which its failing.

Phoen7x · 2018-11-24 16:31:02

arnaiz wrote:

To allow resolve DNS, you must add a line accepting UDP output conections, since DNS protocol uses querys throw UDP:

Oh sorry, i've forgotten to write. I'm runnig an unbound resolver wich forward all traffic to another resolver via DNS-over-TLS (-dport 853), the rule is therefore obsulete.

about the script exec problem, also you can debug inserting a previous echo by each iptables command, so you can check on which its failing.

This is an good idea!

Phoen7x · 2018-11-28 23:08:21

After a reinstallation of iptables-persistent, this solution worked for me.
I think my script failed because of the -nat -mangle parameters.

arnaiz · 2018-11-29 16:59:27

Im happy was helpful.

The officially official Devuan Forum!

#1 2018-11-23 15:25:16

Devuan + iptables

#2 2018-11-23 18:02:35

Re: Devuan + iptables

#3 2018-11-23 19:11:31

Re: Devuan + iptables

#4 2018-11-23 19:20:45

Re: Devuan + iptables

#5 2018-11-23 19:36:26

Re: Devuan + iptables

#6 2018-11-23 21:39:20

Re: Devuan + iptables

#7 2018-11-24 13:49:32

Re: Devuan + iptables

#8 2018-11-24 16:12:22

Re: Devuan + iptables

#9 2018-11-24 16:31:02

Re: Devuan + iptables

#10 2018-11-28 23:08:21

Re: Devuan + iptables

#11 2018-11-29 16:59:27

Re: Devuan + iptables

Board footer