7

We provision servers with chef so we have same configuration for Ubuntu 16.04 and 18.04 versions. And there is same rule for restoring iptables rules cat /etc/network/if-pre-up.d/iptables_load /sbin/iptables-restore < /etc/iptables/general but it doesn't work for Ubuntu 18.04.

If I run it manually it works. Does it mean this script isn't running at startup?

UPDATE

I created systemd service as it is described here and it works fine. 

[Unit]
Description = Apply iptables rules 

[Service]
Type=oneshot
ExecStart=/etc/network/if-pre-up.d/iptables_load

[Install]
WantedBy=network-pre.target
Coul
  • 99
  • 1
  • 1
  • 4
  • 2
    give `iptables-persistent` a try, see https://askubuntu.com/questions/84781/iptables-resets-when-server-reboots – Fabian May 30 '18 at 18:07
  • but iptables-persistent isn't installed at Ubuntu 16.04 and iptables rules are still here after reboot – Coul May 30 '18 at 18:36
  • Ubuntu 18.04 has some funky bugs at the moment, i personally wont be running that until it's sorted out. And 16.04 is not EOL before 2020. Have you tried to load the rules with your /etc/network/interfaces file? That is how i normally load iptable rules, since this makes the most sense with security (if you take that serious) – Cristian Matthias Ambæk May 30 '18 at 19:38
  • That seems like an odd-place to put your script to load iptables. Doesn't it mean that ANY interface being loaded would reset your firewall? Wouldn't you potentially have a race condition starting it via that hook? BTW, do you have the permission set correctly on the script? What happens if you do `ifdown -a` followed by `ifup -a`? Can you maybe put some kind of debugging code in that script to write messages to the logs or displays messages so you know if/when it is getting called? – Zoredache May 30 '18 at 21:59
  • Also, I haven't looked yet, but does 18.04 switch over to using systemd-networkd style configuration? Does that even support the older hook scripts? – Zoredache May 30 '18 at 22:02
  • 1
    Thanks for the "systemd service" hint. Works great. Another solution that I stepped over was to use the `@reboot` hook in the `crontab`. By the way: You can answer your own question, that's perfectly legitimate. – BurninLeo Feb 02 '19 at 22:20
  • I'm voting to close this question as off-topic because there's askubuntu – poige Aug 23 '19 at 15:31

2 Answers2

4

Here's what I did:

  1. Drop your iptables.rules into /etc/iptables.rules

  2. Create service template like so:

    sudo nano /etc/systemd/system/restore-iptables-rules.service

    Copy-paste this:

    [Unit]
Description = Apply iptables rules

[Service]
Type=oneshot
ExecStart=/bin/sh -c 'iptables-restore < /etc/iptables.rules'

[Install]
WantedBy=network-pre.target

  3. Enable service like so:

    sudo systemctl enable restore-iptables-rules.service

  4. Reboot and check that the rules have been applied:

    sudo iptables -L
RalfFriedl
  • 3,008
  • 4
  • 12
  • 17
Csimbi
  • 41
  • 2
  • This is a great post because it can also be used for `ebtables`, which was what I needed to do. The usual answer for persistent `iptables` rules which is to use `iptables-persistent` doesn't work for `ebtables` so this is perfect! Thanks! – Earl Sven Aug 25 '21 at 09:21
1

I ran into a variety of problems with iptables triggered in if-up locations. As my iptables script grew more complicated, the fact that it may run (depending on exact location of the script) for each interface became a problem as did the need for the correct network interface to be up if things like hostname resolution are to work. These factors were causing slow booting and failures. You could consider the alternative, which is to run the iptables script as a systemd service.

This can be done by creating a file called, for example, real_iptables.service in /etc/systemd/system/ with contents like:

[Unit]
Description=Set up the firewall
After=network.target

[Service]
Type=oneshot
ExecStart=/root/iptables

[Install]
WantedBy=multi-user.target

The actual iptables script is, as you can see, at /root/iptables. Install the service with:

systemctl enable real_iptables
systemctl start real_iptables

With the service enabled, it will be started at boot time, but will run only once. If you want to be completely secure, it's possible to put a script in /etc/network/if-up.d/ that uses iptables to block all network communications. This means nothing can happen until the service starts.

mbrampton
  • 301
  • 3
  • 12