ClearFoundation Tracker - ClearOS
View Issue Details
0011041ClearOSapp-firewall - Firewallpublic2016-10-27 10:022019-06-13 01:54
NickH 
 
normalminoralways
closedfixed 
7.2.0 
 
0011041: Implementation of $IPTABLES in firewall breaks rules
$IPTABLES is set to /sbin/ip6tables -w. As such rules like:
$IPTABLES -I INPUT -p udp --dport 500 -i enp2s0 -s 92.24.0.0/13 -j ACCEPT
and
$IPTABLES -t nat -I OUTPUT -p udp --dport 67 -d 62.252.0.0/14 -j DNAT --to-destination 255.255.255.255
in /etc/clearos/firewall.d give errors:
ip6tables v1.4.21: host/network `92.24.0.1' not found
ip6tables v1.4.21: Bad IP address "255.255.255.255"
In turn this causes "service firewall restart" to report failure.

In reality, the above rules get applied correctly, presumably with ip6tables falling back to iptables, because if you do the above rules as:
/sbin/iptables -w -I INPUT -p udp --dport 500 -i enp2s0 -s 92.24.0.0/13 -j ACCEPT
and
/sbin/iptables -w -t nat -I OUTPUT -p udp --dport 67 -d 62.252.0.0/14 -j DNAT --to-destination 255.255.255.255
They do not report failure.

One possible short term solution would be to change $IPTABLES to "/sbin/iptables -w", but it may not help with an IPv6 implementation. The other solution would be to stop ip6tables from reporting an error when it is falling back to iptables.

I would guess the error is initially caused by using IPv4 addresses and subnets in rules destined for ipv6 processing
Put my two rules above into /etc/clearos/firewall.d local, then restart the firewall (or dump its status as it restarts automatically). It will report failure. If you precede the two rules with IPTABLES="/sbin//iptables -w" so IPTABLES becomes a local variable, the firewall will restart successfully.
No tags attached.
Issue History
2016-10-27 10:02NickHNew Issue
2016-10-27 10:21NickHNote Added: 0004081
2016-11-23 01:01NickHNote Added: 0004141
2016-12-06 20:15user2Statusnew => acknowledged
2019-06-13 01:54NickHNote Added: 0012171
2019-06-13 01:54NickHStatusacknowledged => closed
2019-06-13 01:54NickHResolutionopen => fixed

Notes
(0004081)
NickH   
2016-10-27 10:21   
If, as in my example above, you locally replace the value of $IPTABLES to "/sbin/iptables -w" in, say, /etc/clearos/firewall.d/local for its rules, then rules get applied twice so it is not a viable temporary solution, but may work if done programatically in ClearOS.
(0004141)
NickH   
2016-11-23 01:00   
Another user with possibly the same problem:
https://www.clearos.com/clearfoundation/social/community/iptable-rule-fails [^]
(0012171)
NickH   
2019-06-13 01:54   
If ipv4/ipv6 statments now in local