Anonymous | Login | 2024-12-22 00:01 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0011041 | ClearOS | app-firewall - Firewall | public | 2016-10-27 10:02 | 2019-06-13 01:54 | ||||
Reporter | NickH | ||||||||
Assigned To | |||||||||
Priority | normal | Severity | minor | Reproducibility | always | ||||
Status | closed | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 7.2.0 | ||||||||
Target Version | Fixed in Version | ||||||||
Summary | 0011041: Implementation of $IPTABLES in firewall breaks rules | ||||||||
Description | $IPTABLES is set to /sbin/ip6tables -w. As such rules like: $IPTABLES -I INPUT -p udp --dport 500 -i enp2s0 -s 92.24.0.0/13 -j ACCEPT and $IPTABLES -t nat -I OUTPUT -p udp --dport 67 -d 62.252.0.0/14 -j DNAT --to-destination 255.255.255.255 in /etc/clearos/firewall.d give errors: ip6tables v1.4.21: host/network `92.24.0.1' not found ip6tables v1.4.21: Bad IP address "255.255.255.255" In turn this causes "service firewall restart" to report failure. In reality, the above rules get applied correctly, presumably with ip6tables falling back to iptables, because if you do the above rules as: /sbin/iptables -w -I INPUT -p udp --dport 500 -i enp2s0 -s 92.24.0.0/13 -j ACCEPT and /sbin/iptables -w -t nat -I OUTPUT -p udp --dport 67 -d 62.252.0.0/14 -j DNAT --to-destination 255.255.255.255 They do not report failure. One possible short term solution would be to change $IPTABLES to "/sbin/iptables -w", but it may not help with an IPv6 implementation. The other solution would be to stop ip6tables from reporting an error when it is falling back to iptables. I would guess the error is initially caused by using IPv4 addresses and subnets in rules destined for ipv6 processing | ||||||||
Steps To Reproduce | Put my two rules above into /etc/clearos/firewall.d local, then restart the firewall (or dump its status as it restarts automatically). It will report failure. If you precede the two rules with IPTABLES="/sbin//iptables -w" so IPTABLES becomes a local variable, the firewall will restart successfully. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Notes | |
(0004081) NickH (developer) 2016-10-27 10:21 |
If, as in my example above, you locally replace the value of $IPTABLES to "/sbin/iptables -w" in, say, /etc/clearos/firewall.d/local for its rules, then rules get applied twice so it is not a viable temporary solution, but may work if done programatically in ClearOS. |
(0004141) NickH (developer) 2016-11-23 01:00 |
Another user with possibly the same problem: https://www.clearos.com/clearfoundation/social/community/iptable-rule-fails [^] |
(0012171) NickH (developer) 2019-06-13 01:54 |
If ipv4/ipv6 statments now in local |
Issue History | |||
Date Modified | Username | Field | Change |
2016-10-27 10:02 | NickH | New Issue | |
2016-10-27 10:21 | NickH | Note Added: 0004081 | |
2016-11-23 01:01 | NickH | Note Added: 0004141 | |
2016-12-06 20:15 | user2 | Status | new => acknowledged |
2019-06-13 01:54 | NickH | Note Added: 0012171 | |
2019-06-13 01:54 | NickH | Status | acknowledged => closed |
2019-06-13 01:54 | NickH | Resolution | open => fixed |