Specific reason why iptables would return an exit code of 3 (instead of 1?) when executed without sufficient privileges

exit-statusiptablesposix

I simply forgot to use sudo:

usr@arch ~[0] $ iptables -L
iptables v1.4.21: can't initialize iptables table `filter': Permission
denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
usr@arch ~[3] $ <---

My bash PS1 prompt echoes the last command exit status ($?). The iptables manpages doesn't refer to a return code of 3:

Various error messages are printed to standard error. The exit code
is 0 for correct functioning. Errors which appear to be caused by
invalid or abused command line parameters cause an exit code of 2, and
other errors cause an exit code of 1.

The SUSv3/POSIX discusses exit status for commands.¹ A command such as mount – which has 7 different exit statuses for error conditions – executed without privileges returns 1; something that's documented in its manpages: incorrect invocation or permissions.

Q.
So why does iptables and mount differ in that respect – is it purely application specific? Why is it that doing an strace on the former outputs things such as: socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = -1 EPERM (Operation not permitted) – shouldn't it be EACCES instead? Why is it that tracing unprivileged mount calls does not reveal similar errors and do these have an impact on the exit status; or is -1 a failure whatever the reason? Where does that 3 come from?

_{1. Also: GNU Bash; more generally; random weirdness; recent question with reference to codes being application specific + historical /usr/include/sysexits.h etc.}

Best Answer

The documentation is incomplete. The code contains the following list of error codes used internally:

enum xtables_exittype {
    OTHER_PROBLEM = 1,
    PARAMETER_PROBLEM,
    VERSION_PROBLEM,
    RESOURCE_PROBLEM,
    XTF_ONLY_ONCE,
    XTF_NO_INVERT,
    XTF_BAD_VALUE,
    XTF_ONE_ACTION,
};

And when it tries to initialize, it does:

if (!*handle)
    xtables_error(VERSION_PROBLEM,
           "can't initialize iptables table `%s': %s",
           *table, iptc_strerror(errno));

xtables_error prints the error message and exits with the given exit code.

The code seems to be deficient, IMHO, in assuming that a failure here is due to a version problem, without checking the errno to see that it's actually EPERM.

Related Solutions

Does an init script always return a proper exit code when running status

Not 100% of the time. However, it's a very good yardstick.

CFEngine 3 uses this in "services promises" to check if services are running. If the exit code of /etc/init.d/<servicename> status is zero, it assumes the service is running.

I have just run into BitBucket's noncompliance with this convention: /etc/init.d/atlbitbucket status returns 0 even when it's not running. However, I would consider this to be undesirable behavior (a bug) in the init script, that it doesn't follow the convention.

Found a reference for it; the Linux Standard Base Specification states:

If the status action is requested, the init script will return the following exit status codes.

0         program is running or service is OK
1         program is dead and /var/run pid file exists
2         program is dead and /var/lock lock file exists
3         program is not running
4         program or service status is unknown
5-99      reserved for future LSB use
100-149   reserved for distribution use
150-199   reserved for application use
200-254   reserved

So yes, compliant applications can be counted upon to behave in this fashion.

Iptables route traffic to specific external ip to different local ip instead and return responses with external ip as source

Bonus question: Isn't DNAT supposed to rewrite the source IP when there is a response anyway?

Yes it is, iptables NAT rules only operate on the first packet of a connection, later packets are handled according to the mappings established by the first rule.

Sent packets get routed to 192.168.0.169 and responses come back. However they don't come from 1.2.3.4 (the non existent game server) but from my emulated server

The problem is that the NAT can't translate packets that are never sent to it. Here is what is happening in your scenario.

The client crafts the initial packet to 1.2.3.4
The client looks in it's routing table, it doesn't find any better routes so it sends the packet to it's default gateway which is the NAT box.
The NAT box looks up the packet in it's connection tracking table, determines that it is a new connection, performs the NAT manipulations and establishes a connection tracking entry.
The NAT looks up the new destination in it's routing table and sends the packet to the server.
The server crafts a reply swapping source and destination as usual
The server looks in it's routing table, finds a match for the client's IP and sends the packet directly to the client
The reply arrives back at the client but since it didn't return via the NAT box it has the wrong source IP.
The reply is dropped.

So what can we do about it? One solution is to MASQURADE the traffic from client to server so that the server sees the traffic as coming from the NAT box. I believe the following should do it

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.169 -j MASQURADE

Best Answer

Related Solutions

Does an init script always return a proper exit code when running status

Iptables route traffic to specific external ip to different local ip instead and return responses with external ip as source

Related Question