- I Have No IPTables
- Updates
- May 23, 2023: iRedMail-1.6.3 has been released.
- [ Closed ] (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue
- Posts: 8
- 1 Topic by baerengraben 2021-01-28 04:53:16 (edited by baerengraben 2021-01-30 18:42:54)
- Topic: (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue
- First, firewald introduction and common commands
- Firewall common command
- Second, CentOS switches to iptables firewall
- Iptables common commands
- Intelligent Recommendation
- Under centos iptables installation
- Linux: What is the Mandrake 9.0 under the boot setting file / etc / sysconfig?
- How to modify the firewall settings when CentOS does not have an iptables file in the /etc/sysconfig/ path
- Linux / etc / sysconfig / iptables configuration file
- Как найти конфиг, который использует iptables?
- Войдите, чтобы написать ответ
- Как настроить соответствие между поддоменами и хостами в локальной сети?
I Have No IPTables
I have something really weird going on that I can’t seem to find any reference to after a lot of googling. I seem to have no iptables. Not that the chains are flushed or that they are all ACCEPT rules or something, the tables themselves don’t seem to exist. Here is what I mean: The story is, my docker stopped working at some point in the last few months and I finally got around to fixing it. The error was being caused by the following command:
$ iptables -A DOCKER-ISOLATION-STAGE-1 -j RETURN iptables: No chain/target/match by that name.
Which docker runs as part of its startup and which I tried to run manually to debug. So then I started messing around trying to add different chains and rules in different places, and everything was giving that error. So finally I tried to just list everything
$sudo iptables -S iptables: No chain/target/match by that name. $ sudo iptables -L iptables: No chain/target/match by that name. $ sudo iptables --list iptables: No chain/target/match by that name.
# iptables -vL -t filter iptables: No chain/target/match by that name. # iptables -vL -t nat iptables: No chain/target/match by that name. # iptables -vL -t mangle iptables: No chain/target/match by that name. # iptables -vL -t raw iptables: No chain/target/match by that name. # iptables -vL -t security iptables: No chain/target/match by that name.
# iptables -P INPUT ACCEPT iptables: Bad built-in chain name.
doesn’t work. Has anyone seen this before? Is there any way to get the tables back? My system is Ubuntu 18.10 with Kernel 5.1.8
Updates
I have since added all the iptables modules to my /etc/modules and rebuilt the initramfs. The modules are now loaded on boot but it didn’t solve the problem. I found that the iptables-save command does not error, but it also only prints the following:
# Generated by iptables-save v1.6.1 on Tue Jun 11 17:35:52 2019 *nat COMMIT # Completed on Tue Jun 11 17:35:52 2019 # Generated by iptables-save v1.6.1 on Tue Jun 11 17:35:52 2019 *mangle COMMIT # Completed on Tue Jun 11 17:35:52 2019 # Generated by iptables-save v1.6.1 on Tue Jun 11 17:35:52 2019 *raw COMMIT # Completed on Tue Jun 11 17:35:52 2019 # Generated by iptables-save v1.6.1 on Tue Jun 11 17:35:52 2019 *security COMMIT # Completed on Tue Jun 11 17:35:52 2019 # Generated by iptables-save v1.6.1 on Tue Jun 11 17:35:52 2019 *filter COMMIT # Completed on Tue Jun 11 17:35:52 2019
I also found that ip6tables appears to be working normally, its only iptables that is broken. Next I tried running some of the iptables commands in verbose mode.
# iptables -S -vv libiptc vlibxtables.so.12. 0 bytes. Table `filter' Hooks: pre/in/fwd/out/post = 7f68/9f6085dd/5616/9f60a8e0/5616 Underflows: pre/in/fwd/out/post = 36e4540/7fff/36e48e8/7fff/0 iptables: No chain/target/match by that name.
# iptables -N DOCKER-ISOLATION-STAGE-1 -vv
In verbose mode this commant doesn’t complete, the output is huge. I tried dumping it to a file but I killed it when that file reached 8.5GB in size. The output is all repitions of the following pattern:
libiptc vlibxtables.so.12. 1032595540 bytes. Table `filter' Hooks: pre/in/fwd/out/post = 7ffe/92c0b5dd/55a7/92c0d8e0/55a7 Underflows: pre/in/fwd/out/post = 3d8c10f0/7ffe/3d8c1498/7ffe/3d8c2854 Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/. to `'/. Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `' [0] verdict=0 Entry 0 (0): SRC IP: 0.0.0.0/0.0.0.0 DST IP: 0.0.0.0/0.0.0.0 Interface: `'/. to `'/. Protocol: 0 Flags: 00 Invflags: 00 Counters: 0 packets, 0 bytes Cache: 00000000 Target name: `' [0] verdict=0
May 23, 2023: iRedMail-1.6.3 has been released.
- Spider Email Archiver: Lightweight on-premises email archiving software, developed by iRedMail team.
- Join our Telegram group (@iredmail_chat) to get help from other iRedMail users.
[ Closed ] (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue
iRedMail → iRedMail Support → (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue
You must login or register to post a reply
Posts: 8
1 Topic by baerengraben 2021-01-28 04:53:16 (edited by baerengraben 2021-01-30 18:42:54)
Topic: (Solved) No iptables on Ubuntu 20.04.1 LTS / Security Issue
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
— iRedMail version (check /etc/iredmail-release): 1.3.2 MARIADB edition.
— Deployed with iRedMail Easy or the downloadable installer? downloadable installer
— Linux/BSD distribution name and version: Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-64-generic x86_64)
— Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
— Web server (Apache or Nginx): Nginx
— Manage mail accounts with iRedAdmin-Pro? No
— [IMPORTANT] Related original log or error message is required if you’re experiencing an issue.
====
I just did a new installation of iredmail on a new installed Ubuntu 20.04.1 LTS. After finishing installation of iredmail, I noticed that the ireadmail rules for iptables (/etc/default/iptables) are not active at all.
This is what /iRedMail-1.3.2/runtime/install.log says:
[ INFO ] Copy firewall sample rules.
+ < DEBUG >Service control: enable iptables.
Failed to enable unit: Unit file iptables.service does not exist.
+ < DEBUG >Service control: enable ip6tables.
Failed to enable unit: Unit file ip6tables.service does not exist.
[ INFO ] Restarting firewall .
+ < DEBUG >Service control: restart iptables.
Failed to restart iptables.service: Unit iptables.service not found.
+ < DEBUG >Service control: restart ip6tables.
Failed to restart ip6tables.service: Unit ip6tables.service not found.
So far as I understand is, that Ubuntu is using ufw and has no «service» for iptables (anymore?).
How can I activate the rules for hardening the ireadmail server? Maybe the rules should be installed by ufw?
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Stable release is out.
First, firewald introduction and common commands
The configuration for firewalld is stored in various XML files in /usr/lib/firewalld/ and /etc/firewalld/.
The firewall is configured/usr/lib/firewalld/ System Configuration Directory & /etc/firewalld/ User Configuration Directoryin
Where /usr/lib/firewalld/services stores defined network service and port parameters, system parameters, cannot be modified
Note: The following firewalld operations are only valid after reboot: service firewalld restart
Firewall common command
Start: systemctl start firewalld
Close: systemctl stop firewalld
View status: systemctl status firewalld
Power on disable : systemctl disable firewalld
Power on: systemctl enable firewalld
Systemctl is a service management tool for CentOS7 and later. It combines the functions of previous service and chkconfig.
Start a service: systemctl start firewalld.service
Close a service: systemctl stop firewalld.service
Restart a service: systemctl restart firewalld.service
Display the status of a service: systemctl status firewalld.service
Enable a service at boot time: systemctl enable firewalld.service
Disable a service at boot time: systemctl disable firewalld.service
Check whether the service is powered on: systemctl is-enabled firewalld.service
View the list of started services: systemctl list-unit-files|grep enabled
View the list of services that failed to start: systemctl —failed
View the status of the firewall
Second, CentOS switches to iptables firewall
Step1: Close the firewall
Switch root identity su -, enter the root password
systemctl stop firewalld Close the firewall
systemctl disable firewalld.service Disable firewall boot
Step2: Install iptables firewall
yum installi ptables-services installation
Step3: Edit iptables firewall configuration
vim /etc/sysconfig/iptablesEdit the firewall configuration file
After opening, you can see the default rules in the firewall.
If you need to modify it, press i to enter the Inter editing template to redefine the rules.
Press Esc to exit editing, press :wq to save and exit
Step4: Open iptables
Service iptables start
Systemctl enable iptables.service Set the firewall to boot
Service iptables status View status
Iptables common commands
Start: service iptables start
Close: service iptables stop
Restart: service iptables restart
View status: service iptables status
Power on disable: chkconfig iptables off
Power on: chkconfig iptables on
Check if the firewall is booting: chkconfig iptables —list
Intelligent Recommendation
Under centos iptables installation
[[email protected] ~]# yum install iptables -y [[email protected] ~]# yum install iptables-services Check installation [[email protected] ~]# rpm -qa|grep iptables iptables-1.4.21-24.1.el7_5.x86.
Linux: What is the Mandrake 9.0 under the boot setting file / etc / sysconfig?
What is the MANDRAKE 9.0 in setting the file? Which projects with yellow fonts are especially important! clock In setting the time zone of our Linux host, you can use Greenwich time, which is standard.
How to modify the firewall settings when CentOS does not have an iptables file in the /etc/sysconfig/ path
To modify the port number of a program is not blocked by the firewall, many online tutorials are to directly modify the iptables file in the /etc/sysconfig/ path, but I did not find the iptables file .
Linux / etc / sysconfig / iptables configuration file
View firewall open port View firewall status Install iptables Start iptables.
Как найти конфиг, который использует iptables?
На сайте настроен iptables. Разрешает коннект к порту 3306 только для одного IP. IP сменился, нужно открыть конфиг фаервола и сменить IP.
Гуглю где находится его конфиг, гугль говорит, смотреть в /etc/sysconfig/iptables.old и в /etc/sysconfig/iptables-config.
Ага, думаю я, то что мне нужно, открываю эти конфиги, в них нет записи с нужным IP. Видимо iptables использует кастомный конфиг. Как узнать где он находится?
Выведите список через iptables -L
и удалите старое, добавьте новое
Если я не ошибаюсь, конфиг можно сохранить куда угодно.
In CentOS you have the file /etc/sysconfig/iptables
если его там нет, вы можете его создать, используя iptables-save, чтобы записать текущие правила в файл
iptables-save > /etc/sysconfig/iptables
чтобы загрузить файл, Вам не нужно перезагружать сервер, просто используйте iptables-restore
# iptables -A INPUT -i ens192 -p tcp -s x.x.x.x —dport 3306 -j ACCEPT
так добавить разрешение для подключения определенного IP? какую нибудь еще команду нужно вводить или что нибудь перезагружать?
mr_blond97: на счет этого, к сожалению помочь не могу. По умолчанию — все подключения разрешены. Надо смотреть, какое правило у Вас запрещало подключаться со всех ip, кроме старого и его менять.
ps
Если ответ помог, отметьте решением, пожалуйста.
iptables -S выведет список правил
=========
/etc/sysconfig/iptables-config
Не тот файл вы открываете.
mcedit /etc/sysconfig/iptables
меняете правило и
/etc/init.d/iptables restart
Итак, шаг номер раз:
iptables -L -n —line-numbers
эта команда выведет список всех имеющихся у Вас правил с номерами.
шаг номер 2:
iptables -D INPUT num, где num — номер запрещающего правила.
этой командой мы удаляем запрещающее правило
наг номер 3:
iptables -I INPUT 1 -p tcp -s x.x.x.x —dport 3306 -j ACCEPT
этой командой мы добавляем новое разрешающее правило в цепочку INPUT и ставим его первым. На случай, если у Вас в конце цепочки написано что-то типа -A INPUT -j REJECT —reject-with icmp-host-prohibited
если что-то не получается — пришлите вывод iptables -L -n —line-numbers, бум думать.