Ubuntu – iptables-persistent and netfilter-persistent don’t actually work on Ubuntu Server 16.04.3 x86_64


I have iptables-persistent and netfilter-persistent installed:

$ dpkg -l '*-persistent'
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                         Version                      Architecture                Description
ii  iptables-persistent                          1.0.4                       all                         boot-time loader for netfilter rules, iptables plugin
ii  netfilter-persistent                         1.0.4                       all                         boot-time loader for netfilter configuration

I also have the rules saved at /etc/iptables/rules.v4 (I only care about IPv4 for now):

$ cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
:INPUT ACCEPT [11740:1271860]
:OUTPUT ACCEPT [9784:2123999]
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
:PREROUTING ACCEPT [18262:1677349]
:OUTPUT ACCEPT [9784:2123999]
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
:PREROUTING ACCEPT [7367:452849]
:INPUT ACCEPT [872:48764]
:OUTPUT ACCEPT [500:37441]
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
:PREROUTING ACCEPT [18262:1677349]
:INPUT ACCEPT [18259:1677229]
:OUTPUT ACCEPT [9784:2123999]
:POSTROUTING ACCEPT [9784:2123999]
# Completed on Fri Jan 19 09:49:17 2018
# Generated by iptables-save v1.6.0 on Fri Jan 19 09:49:17 2018
-A INPUT -i lo -j ACCEPT
-A INPUT -d -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,587,465
-A INPUT -p tcp -m state --state NEW -m multiport --dports 110,995
-A INPUT -p tcp -m state --state NEW -m multiport --dports 143,993
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 3721:3725 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Completed on Fri Jan 19 09:49:17 2018

The rule I'm really interested in is the one towards the end:

-A INPUT -p tcp -m state --state NEW -m multiport --dports 3721:3725 -j ACCEPT

However, when I reboot the server, I don't get that rule:

$ sudo iptables -4 -L
[sudo] password for kal:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
           tcp  --  anywhere             anywhere             state NEW multiport dports smtp,submission,urd
           tcp  --  anywhere             anywhere             state NEW multiport dports pop3,pop3s
           tcp  --  anywhere             anywhere             state NEW multiport dports imap2,imaps
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain f2b-shadowsocks (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Also note that iptables has a couple of rules that were present even before I ever installed iptables-persistent and netfilter-persistent – e.g. the ones for http, smtp, pop3, imap, ssh. I have no idea where they come from. Sure, I have openssh and nginx installed and their services enabled, but I never added iptables rules for them myself.

If I look at the output of journalctl, netfilter-persistent.service did start successfully:

$ sudo journalctl -xu netfilter-persistent.service
-- Logs begin at Fri 2018-01-19 18:55:13 HKT, end at Fri 2018-01-19 19:05:41 HKT. --
Jan 19 18:55:13 yuma systemd[1]: Starting netfilter persistent configuration...
-- Subject: Unit netfilter-persistent.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit netfilter-persistent.service has begun starting up.
Jan 19 18:55:13 yuma netfilter-persistent[1997]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Jan 19 18:55:14 yuma netfilter-persistent[1997]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Jan 19 18:55:14 yuma systemd[1]: Started netfilter persistent configuration.
-- Subject: Unit netfilter-persistent.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Unit netfilter-persistent.service has finished starting up.
-- The start-up result is done.

If I manually restart netfilter-persistent.service after the machine is completely booted up, I get the rule I want:

$ sudo iptables -4 -L
ACCEPT     tcp  --  anywhere             anywhere             state NEW multiport dports 3721:3725

So why doesn't netfilter-persistent actually work at boot time?

Is something completely overwriting iptables after netfilter-persistent?

What can I do about it?

I also don't have ufw or firewalld.

Best Answer

So it turns out that my server has a file named /etc/iptables.firewall.rules, and rules were being restored from it in /etc/network/if-pre-up.d/firewall:

/sbin/iptables-restore < /etc/iptables.firewall.rules

/etc/iptables.firewall.rules seems to be an old file that I created back in 2015, following an old tutorial to persist iptables rules.

All I had to do, then, was to add my new rule to that file.

I guess the lesson is that, after checking the usual ufw and iptables-persistent/netfilter-persistent stuff, I should just grep -rn iptables-restore /etc/. If that doesn't find anything, there's also the possiblity of rules being added dynamically via dbus, if firewalld is enabled.

Related Question