Problem with leaks in IPTABLES firewall

hkjz · 04-14-2021, 12:18 PM

Hello,

there is something wrong with the firewall rules i made with IPTABLES

when i load system and load the rules to see them i got this:

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  217.23.1.184         anywhere            
ACCEPT     all  --  217.23.1.184         anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere             LOG level warning
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             217.23.1.184        
ACCEPT     all  --  anywhere             217.23.1.184        
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere

However, when i reload the firewall rules by hand from file, i am left with this only

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere             LOG level warning
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere

to mitigate this problem i even used such a line in crontab
@reboot cd /path/to/file/ && ./iptables_rules_file

but it did not help.

The first part is interesting, part of curiosity, I suspect that all these files are somehow connected to underlying system functions. Should I unlock them?

The second part with iptables is more concerning - especially '217.23.1.184', which is WorldStream B.V., probably a VPN provider. I recognize the name because it sometimes shows up in my VPN as well.

But in the iptables rules it comes out of nowhere,

I will do more tests with cronetab and reboots to let you know the result.

sundialsvcs · 04-14-2021, 04:25 PM

Since iptables rules can be fairly tricky to get right if you are "riding the pony bareback," I prefer to use higher-level tools such as shorewall, which can automagically write and install proper rules for you. Very definitely easier.

jdrosales · 04-15-2021, 11:32 AM

Use iptables-save > your_rules.txt (<-- this is just an example, the file can be named anyway you want ) after you update your iptables rules. Then, at boot time (or whenever you need to) use iptables-restore < your_rules.txt

I think that should solve your problem.

elgrandeperro · 04-17-2021, 01:58 PM

I have a feeling you have a problem. The rules file is not executable, by your script. It always should be "iptables-restore < rules" as someone mentioned.

Second, some distros need the iptables-persistent package. This preloads rules from usually /etc/iptables/? or /etc/sysconfig/?. iptables-restore does not update the rules there, so it might be better to update the rules there THEN reload iptables via whatever script starts iptables, whether /etc/init.d or systemctl or whatever.

So for testing, you certainly can:

iptables-save > RULES
edit RULES to test them
iptables-restore < RULES

But for persistence, you have to update the files in /etc/iptables or /etc/sysconfig to go across reboots if the persistence package is installed "OR you have to create your own startup/init script". I'd install the persistence packages, they work just fine.