Tengo iptables-persistent
y netfilter-persistent
instalado:
$ dpkg -l '*-persistent'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-============================================-===========================-===========================-==============================================================================================
ii iptables-persistent 1.0.4 all boot-time loader for netfilter rules, iptables plugin
ii netfilter-persistent 1.0.4 all boot-time loader for netfilter configuration
También tengo las reglas guardadas en /etc/iptables/rules.v4
(Solo me importa IPv4 por ahora):
$ cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*security
:INPUT ACCEPT [11740:1271860]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9784:2123999]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*raw
:PREROUTING ACCEPT [18262:1677349]
:OUTPUT ACCEPT [9784:2123999]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*nat
:PREROUTING ACCEPT [7367:452849]
:INPUT ACCEPT [872:48764]
:OUTPUT ACCEPT [500:37441]
:POSTROUTING ACCEPT [500:37441]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*mangle
:PREROUTING ACCEPT [18262:1677349]
:INPUT ACCEPT [18259:1677229]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9784:2123999]
:POSTROUTING ACCEPT [9784:2123999]
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,587,465
-A INPUT -p tcp -m state --state NEW -m multiport --dports 110,995
-A INPUT -p tcp -m state --state NEW -m multiport --dports 143,993
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 3721:3725 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Jan 19 09:49:17 2018
La regla que realmente me interesa es la que está al final:
-A INPUT -p tcp -m state --state NEW -m multiport --dports 3721:3725 -j ACCEPT
Sin embargo, cuando reinicio el servidor, no obtengo esa regla:
$ sudo iptables -4 -L
[sudo] password for kal:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
tcp -- anywhere anywhere state NEW multiport dports smtp,submission,urd
tcp -- anywhere anywhere state NEW multiport dports pop3,pop3s
tcp -- anywhere anywhere state NEW multiport dports imap2,imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain f2b-shadowsocks (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain f2b-sshd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
También tenga en cuenta que iptables tiene un par de reglas que estaban presentes incluso antes de que instalara iptables-persistent
y netfilter-persistent
- p.ej. las de http, smtp, pop3, imap, ssh. No tengo idea de dónde vienen. Claro, tengo instalados openssh y nginx y sus servicios habilitados, pero nunca agregué reglas de iptables para ellos.
Si observo el resultado de journalctl, netfilter-persistent.service se inició correctamente:
$ sudo journalctl -xu netfilter-persistent.service
-- Logs begin at Fri 2018-01-19 18:55:13 HKT, end at Fri 2018-01-19 19:05:41 HKT. --
Jan 19 18:55:13 yuma systemd[1]: Starting netfilter persistent configuration...
-- Subject: Unit netfilter-persistent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit netfilter-persistent.service has begun starting up.
Jan 19 18:55:13 yuma netfilter-persistent[1997]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Jan 19 18:55:14 yuma netfilter-persistent[1997]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Jan 19 18:55:14 yuma systemd[1]: Started netfilter persistent configuration.
-- Subject: Unit netfilter-persistent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit netfilter-persistent.service has finished starting up.
--
-- The start-up result is done.
Si reinicio manualmente netfilter-persistent.service
después de que la máquina haya arrancado por completo, obtengo la regla que quiero:
$ sudo iptables -4 -L
[...]
ACCEPT tcp -- anywhere anywhere state NEW multiport dports 3721:3725
[...]
Entonces, ¿por qué netfilter-persistent
realmente funciona en el momento del arranque?
¿Algo sobrescribe completamente iptables después? netfilter-persistent
?
¿Qué puedo hacer al respecto?
ACTUALIZAR
Tampoco tengo ufw
o firewalld
.
Respuesta aceptada:
Entonces resulta que mi servidor tiene un archivo llamado /etc/iptables.firewall.rules
, y las reglas se estaban restaurando a partir de él en /etc/network/if-pre-up.d/firewall
:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
/etc/iptables.firewall.rules
parece ser un archivo antiguo que creé en 2015, siguiendo un tutorial antiguo para conservar las reglas de iptables.
Entonces, todo lo que tenía que hacer era agregar mi nueva regla a ese archivo.
Supongo que la lección es que, después de comprobar el habitual ufw
y iptables-persistent
/netfilter-persistent
cosas, debería grep -rn iptables-restore /etc/
. Si eso no encuentra nada, también existe la posibilidad de que las reglas se agreguen dinámicamente a través de dbus
, si firewalld
está habilitado.