I've been running fail2ban for a bit, and recently installed iptables-persistent and am using it with ipset for a blacklist (there's one particular IP that is always hammering away at this machine). The ipset/iptables persistency was a bit of work on Ubuntu, but that part seems to be working. My issue is now the following: When I reboot the machine, my (relevant portion) iptables looks like this: Chain INPUT (policy ACCEPT 682 packets, 84744 bytes) pkts bytes target prot opt in out source destination 347 23254 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set blacklist src 347 23254 f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 Chain f2b-sshd (2 references) pkts bytes target prot opt in out source destination 694 46508 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 With this, I noticed also that netfilter-persistent.service was marked as "loaded failed failed" by systemctl even though it clearly loaded the rules files. I tried editing my fail2ban service to load AFTER netfilter-persistent, and now netfilter-persistent is marked as "loaded active exited"...but the rules are still duplicated (apparently f2b creates the rules regardless of whether they already exist) Manually editing this file each time I run iptables-save to delete the f2b entries is probably an acceptable option (particularly given that the consequences aren't all the grave if I forget to do so), but I'm wondering if there's a better option?

I noticed that the package UFW had been removed from a server, but do not recall having manually removed it. Looking at the logs at /var/log/apt/history.log, I noticed this entry:

Start-Date: 2024-06-24  18:56:55
Commandline: apt-get install -y iptables-persistent
Requested-By: ealfonso (1000)
Install: iptables-persistent:amd64 (1.0.20), netfilter-persistent:amd64 (1.0.20, automatic)
Remove: ufw:amd64 (0.36.2-1)
End-Date: 2024-06-24  18:57:06

I did request iptables-persistent to be installed. Does the log above indicate that the UFW removal was triggered by installing iptables-persistent? From the iptables-persistent package description there doesn't appear to be a direct conflict with UFW, and according to this answer , UFW can be compatible with iptables-persistent.

I used a script to set up iptables rules and then made them persistent with iptables-persistant. This is described here as a means to prevent a certain user sending traffic over eth0 so it can just use tun0 aka a VPN. But I also use ufw to easily manage firewall rules. Now, if I make the rules persistant ufw seems not beeing able to load its own rules on top of that. Is this a basic conflic? Or should I be able to solve it? Of course I could make the rules persistant after I added sudo ufw enable but then any changes to ufw afterwards would have to be persistet, too. This is something I want to avoid because it might be a cause for errors.

I need some help, or advice. I have a latest server I am trying to get into production and I cannot get it to load its rules on a reboot. "Debian GNU/Linux 10 (buster)" it is up to date in its packages I have installed iptables-persistent, I have ran dpkg-reconfigure iptables-persistent, and it does save the rules in /etc/iptables I have the following in the folder rules.v4 rules.v6 On a reboot it will not load my rules. IF I do this below, it works just fine! IT will just not do this for me on reboot.

iptables-restore < /etc/iptables/rules.v4

I have tried following many leads online, starting from these. https://unix.stackexchange.com/questions/52376/why-do-iptables-rules-disappear-when-restarting-my-debian-system https://unix.stackexchange.com/questions/125833/why-isnt-the-iptables-persistent-service-saving-my-changes I don't know what I am doing wrong. I do have fail2ban installed and working. I can't see this conflicting, but on boot they both would be working with iptables... Are there ways to view the iptables logs? Does it log to journalctl? I cannot find any msges that can give me an idea why it is not working. These rules gotta load on boot. Someone did mention to load this in /etc/rc.local, which I am unfamiliar with, that file is not there on Debian, and some have explained to just stick with iptables-persistent, which I would tend to agree with. https://unix.stackexchange.com/questions/52376/why-do-iptables-rules-disappear-when-restarting-my-debian-system#answer-52378 Any help is appreciated, or logs to iptables if any. This is my boot logs when I try a reboot journalctl -f -unetfilter-persistent

Jan 02 15:09:06 domain.ca netfilter-persistent: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Jan 02 15:09:06 domain.ca systemd: Started netfilter persistent configuration.
Jan 02 15:09:50 domain.ca systemd: Stopping netfilter persistent configuration...
Jan 02 15:09:50 domain.ca netfilter-persistent: Automatic flush disabled; use '/usr/sbin/netfilter-persistent flush'
Jan 02 15:09:50 domain.ca systemd: netfilter-persistent.service: Succeeded.
Jan 02 15:09:50 domain.ca systemd: Stopped netfilter persistent configuration.
Jan 02 15:09:50 domain.ca systemd: Starting netfilter persistent configuration...
Jan 02 15:09:50 domain.ca netfilter-persistent: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Jan 02 15:09:50 domain.ca netfilter-persistent: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Jan 02 15:09:50 domain.ca systemd: Started netfilter persistent configuration.

I'm trying to use iptables. I'm simulating a network with Mininet. I currently have a router connecting two subnets (10.0.1.1/24 and 10.0.2.1/24). If I use these two iptables rules on the router I see that two duplicates are created, but on the host 10.0.2.180 I only see echo request or reply packets (in the case of icmp ping). It seems that it is not bidirectional. The router only captures traffic traveling from one subnet to another, not internal traffic. I wrote this two rules on the router, but I can only catch inbound traffic. I would also need to take the outgoing traffic. I'm using this iptables rules: iptables -t mangle -A PREROUTING -i r1-eth1 -j TEE --gateway 10.0.2.180 iptables -t mangle -A POSTROUTING -o r1-eth1 -j TEE --gateway 10.0.2.180

I followed this tutorial to set up IP rules on ubuntu 12.04. Everything worked fine on setup -- but now I've made changes to the firewall that do not persist upon reboot. I do not understand why that is. Here is a demonstration of how I am using iptables-persistent. What am I doing wrong? $ sudo service iptables-persistent start * Loading iptables rules... * IPv4... * IPv6... $ sudo iptables -L //shows a certain rule $ iptables -D INPUT ... //command successfully drops the rule $ sudo iptables -L //shows rule has been deleted $ sudo service iptables-persistent restart * Loading iptables rules... * IPv4... * IPv6... [ OK ] $ sudo iptables -L //rule is back

I want to accept all traffic that is coming from an IP address and its specific port to any of my ports. Here is the configuration: Details: I am using Jitsi in a server, and I want to reach Jitsi from another server2 (client). Client has firewall on it, which blocks everything except https and ssh, by default. Jitsi meet conference process (Without STUN, which allows peer to peer connection) goes like that: - Client sends a connection request from any of its port to the 10000th port of Jitsi. - Jitsi accepts the request to its 10000, and sends the answer to the port that the request comes from. - Client can't see the answer, since firewall has blocked it, because the answer came to a random port. So I need to accept all traffic that comes from the IP of Jitsi server and its specifically port 10000 to any of my ports. I tried to add these to rules.chains:

-A PREROUTING -s 10.0.0.1 --sport 10000 -j POLACCEPT

But it didn't work. It gave me error on systemctl restart netfilter-persistent. By the way, I can see the incoming packets in tcpdump results, I guess this is because udp packets are coming and then iptables blocks them, but tcpdump may still be able to see them. Is there a solution for this and what is it?

I have a Rasberry Pi that DHCP assigns a static IP address (Based on it's MAC address) at **192.168.2.12** with the Local gateway at 192.168.2.1, **I want to block internet traffic to it and from it**, but **I do** want **local LAN network traffic access to the Rasberry Pi (only internally)** . How can I do this in **iptables** and the **AdvanceTomato router script?** (If this is the best / easiest way). I tried the commands below: ######## block all internet to ip address but give access to LAN iptables -I FORWARD -s 192.168.2.12 -j REJECT ####### Restarts the firewall to update iptables without reboot of router service firewall restart But it seems to leak out to the internet $ ping att.com PING att.com (144.160.36.42) 56(84) bytes of data. From unknown (192.168.2.1) icmp_seq=1 Destination Port Unreachable From unknown (192.168.2.1) icmp_seq=2 Destination Port Unreachable From unknown (192.168.2.1) icmp_seq=3 Destination Port Unreachable From unknown (192.168.2.1) icmp_seq=4 Destination Port Unreachable 64 bytes from att.com (144.160.36.42): icmp_seq=5 ttl=241 time=87.5 ms From unknown (192.168.2.1) icmp_seq=6 Destination Port Unreachable 64 bytes from att.com (144.160.36.42): icmp_seq=7 ttl=241 time=64.8 ms From unknown (192.168.2.1) icmp_seq=8 Destination Port Unreachable 64 bytes from att.com (144.160.36.42): icmp_seq=9 ttl=241 time=93.3 ms **Am I using the correct commands / syntax to block the internet of a DHCP assigned static IP, but allow internal LAN network to get to the device?**

I've got the following command in my iptable: -A FORWARD -o enp0s3 -j ACCEPT That somebody doesn't like, because after 2 reboots, it's gone from the iptable... I've got *iptables-persistent* installed, and running ufw (some says it conflicts, but it has worked before) Well, I'm adding the command, saving, rebooting, and it works, then I'm rebooting again, and it works, then I'm rebooting again, and NOW suddenly it's not working anymore, and the -A FORWARD -o enp0s3 -j ACCEPT command in the iptable has been removed. I've even tried to shutdown instead of rebooting, but the same result. So my question is, is there anyway to "see" why this is happening, and what's doing it? I've recently installed apache2 and certbot, and it's after this I discovered this issue, but I have no idea how to fix this.. edit: An interesting development has occurred, I'm using the iptables-save > /tmp/iptables.txt command to get the table, and in that table, the forward command is missing, but when I looked directly into the rules.v4 file, and there the command still exists.. edit: from my rules file: *filter -A INPUT -j ufw-before-logging-input -A INPUT -j ufw-before-input -A INPUT -j ufw-after-input -A INPUT -j ufw-after-logging-input -A INPUT -j ufw-reject-input -A INPUT -j ufw-track-input -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A FORWARD -j ufw-before-logging-forward -A FORWARD -j ufw-before-forward -A FORWARD -j ufw-after-forward -A FORWARD -j ufw-after-logging-forward -A FORWARD -j ufw-reject-forward -A FORWARD -j ufw-track-forward -A FORWARD -o enp0s3 -j ACCEPT -A OUTPUT -j ufw-before-logging-output -A OUTPUT -j ufw-before-output

I am trying to open some ports in CentOS 7. I am able to open a port with the following command: firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 7199 -j ACCEPT By inspecting via iptables -L -n, I get the confirmation that the setting was successful: Chain IN_public_allow (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7199 Unfortunately, I cannot make the changes permanent. Even by using the --permanent option like this: firewall-cmd --direct --permanent --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 7199 -j ACCEPT Any idea on how to fix this? Why is the --permanent option not working correctly?

I'm trying to set up a simple firewall with docker and I wanted to use iptables-restore. I changed the iptables used to legacy (so shouldn't use nftables if I'm right). The problem is that even a file as simple as :

*filter
:INPUT ACCEPT [0:0]
COMMIT

leads to an error :

iptables-restore rules1.v4 --test --verbose --noflush
Bad argument `COMMIT'
Error occurred at line: 3
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

The INPUT chain exists obviously :

iptables -L INPUT

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

I'm using Debian 10.

I have issue in Ubuntu 18.04 Server to configurate internal and external network. Case is that i have Gateway device which has DHCP service to lease IP addresses for wlan connected devices. Gateway device eth0 IP address is 192.168.1.120 and Gateway device wlan0 has static 10.10.0.1 IP address and first wlan client gets 10.10.0.2 IP address. Gateway device eth0 has internet access. But wlan0 connected devices should only have access to Gateway device services e.g. MySql or custom REST API's. Rule 1: Gateway device should have access to internet. [eth0][Internet] Rule 2: Wlan connected devices should have only access to Gateway device services. [WlanClient][wlan0][eth0]--||NoAccess||--[Internet] What i have done is that i have installed Ubuntu 18.04 Server and installed basic services and now i'm in point that i should create network restrictions. I have done following settings to get wlan0 connected devices to be able to use Gateway device services. But also wlan0 connected devices has now internet access which should be restricted. /etc/sysctl.conf

net.ipv4.ip_forward=1

iptables configuration

iptables -F
iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables-save  > /etc/iptables/rules.v4
iptables-restore  < /etc/iptables/rules.v4

Can some one help me with the configuration?

**Introduction** This is on Debian Buster with kernel

.19.0-6

I've installed

-persistent

and

-persistent

versions

.0.11

and added a basic rule to

-nft

to block all LAN addresses but the default gateway like so:

# arptables-nft -A INPUT -s ! 10.0.0.1 -j DROP

saving the rules into a file can be done like so

$ sudo arptables-nft-save >> ~/Desktop/arptable-rules.save
$ less ~/Desktop/arptable-rules.save
*filter
:INPUT ACCEPT
:OUTPUT ACCEPT
-A INPUT ! -s 10.0.0.1 --h-length 6 --h-type 1 -j DROP

And the rules can be restored like so

$ sudo arptables-nft -F
$ sudo arptables-nft-restore < ~/Desktop/arptable-rules.save
$ sudo arptables-nft -L -n
Chain INPUT (policy ACCEPT)
! -s 10.0.0.1 --h-length 6 --h-type 1 -j DROP

Chain OUTPUT (policy ACCEPT)

But for some reason, it does not persist past a reboot. I thought that arptables-nft would be part of the netfilter arp table, but it isn't. Aside from making a startup script (e.g. Making scripts run at boot time with Debian ) which runs

-nft-restore

and perhaps a shutdown script which runs

-nft-save

, I am not sure how to make the

-nft

table rules persistent past a reboot. **Question** Is there some way to have the rules automagically save like they do with

or

-persistent

and how they handle their tables? Or would writing a startup / shutdown script be less trouble?

I have this base for [tag:iptables] when I have a new server to configure : *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Keep state. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Loop device. -A INPUT -i lo -j ACCEPT # Allow PING from remote hosts. -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # allow ssh port 22 -A INPUT -p tcp --dport 22 -j ACCEPT # allow foobar public IP -A INPUT -p tcp -s 9.8.7.6 -j ACCEPT # Allow outgoing trafic -A OUTPUT -p tcp -d 1.2.3.4 -j ACCEPT -A OUTPUT -o enp8s0 -d 0.0.0.0/0 -j ACCEPT COMMIT I load this file with iptable-restore < file. The issue is that when I flush with iptables -F, I get blocked. What I have to do to avoid to be blocked ?

I use netfilter-persistent to manage a firewall. I would like to share a connection between two interfaces using masquerading (example , or another ). When I run those operations by invoking iptables it works. But if I try to update firewall rules stored in /etc/iptables/rules.v4 adding such a line: -t nat -A POSTROUTING -o wlan0 -j MASQUERADE Lines starting with -t make netfilter-persistent fail to run and the firewall is not updated: Nov 16 11:51:32 helena systemd[1] : netfilter-persistent.service: Main process exited, code=exited, status=1/FAILURE Nov 16 11:51:32 helena systemd[1] : Failed to start netfilter persistent configuration. So I am wondering if it is possible to store this kind of rules with netfilter-persistent or - Is it a known limitation? - Is there a good reason why it cannot work? - Is there a hack to make it work?

I have the following setup: in /etc/iptables/rules.v4 # Generated by iptables-save v1.4.21 on Mon Jul 1 11:32:00 2019 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3:620] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 192.168.35.107/32 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -s 192.168.35.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -s 192.168.35.0/24 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -j DROP COMMIT # Completed on Mon Jul 1 11:32:00 2019 from above we see that I want to block ping from specific IP. After I save rules with iptables-restore < /etc/iptables/rules.v4, and I list rules with iptables -L, I can conclude that computer with ip 192.168.35.107 is unable to ping the server. However, the computer with that IP is able to ping **indefinitely** until I break the session. Even after I break the ping I still need to make ~60 seconds pause until I am unable to ping again. If I make 5-10 seconds pause between ping command the firewall let me through. Funnily enough when I enable ping through the iptables it works immediately. I have tried with the Samba port 445 as well. Same. Is there a way to make iptables dropped ports immidiately effective?

I am adding a chain using iptables: iptables -N ETDROP When I reboot, this is lost. I read of many ways to make iptables rules permanent... however You must remember, I am using UFW and UFW has this job of remembering your rules. So the question is, how do I get UFW to realize that a new rule has just been added directly by iptables? I tried ufw reload but no cookie.

I need to configure iptables on a linux machine with running docker containers. If I save iptables rules with iptables-save > /etc/iptables/rules.v4, rules from all chains will be written to file. But I want to save only INPUT, OUTPUT and DOCKER-USER chains, and don't want chains DOCKER, DOCKER-ISOLATION-STAGE-1, etc to be saved, since they contain rules added by docker automatically, which will be irrelevant after reboot. As far as I know, iptables-save can save specific tables, but not specific chains. Currently I consider to combine iptables-save with grep to cut rules from unwanted chains. Is there any better way to achieve same result?

I have /etc/iptables/rule.v4 file contains many rule, the below is the line where I see the issue -A INPUT -p tcp -m multiport --dports 22 -j ACCEPT -A INPUT -p udp -m multiport --dports 16384:32768 -j ACCEPT When I tried to do iptables-restore it failed with below error root@rs-dal:/etc/iptables# iptables-restore rules.q iptables-restore v1.8.2 (nf_tables): multiport needs -p tcp', -p udp', -p udplite', -p sctp' or `-p dccp' Error occurred at line: 26 Try `iptables-restore -h' or 'iptables-restore --help' for more information. root@rs-dal:/etc/iptables# why is it failing?, the same rule had worked successfully on Debian Jessie. Also when I changed the rules like below, it worked. -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p udp --dport 16384:32768 -j ACCEPT I checked the iptables -L and these rules applied successfully as below ACCEPT udp -- anywhere anywhere udp dpts:16384:32768 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Whether the rule that I currently have is a valid syntax? Below is my OS details root@rs-dal:/etc/iptables# cat /etc/os-release PRETTY_NAME="Debian GNU/Linux buster/sid" NAME="Debian GNU/Linux" ID=debian HOME_URL="https://www.debian.org/ " SUPPORT_URL="https://www.debian.org/support " BUG_REPORT_URL="https://bugs.debian.org/ "

Installing NCPA for nagios, I found these instructions iptables -I INPUT -p tcp --destination-port 5693 -j ACCEPT apt-get install -y iptables-persistent Answer yes to saving existing rules Of course, I cannot save ALL ruleset. Because I am using failban and actually my iptables ruleset is veeeery big. I'd like to persist only iptables -I INPUT -p tcp --destination-port 5693 -j ACCEPT Is it possible? Is still really needed to use iptables-persistent to keep firewall rules? I have a doubt because I am using port 80 and a few others without any problems after system reboots... So, When I reboot the system, will normally iptables reset all rules? If yes Why ? If no .. wel...