Package: iptables-persistent
Severity: critical
Tags: security patch ipv6
Justification: root security hole
Dear Maintainer,
* What led up to the situation?
Running '/usr/sbin/netfilter-persistent save' from root's crontab.
* What was the outcome of this action?
A mail message from cron, explaining that 'iptables' could not be found.
* What outcome did you expect instead?
I expected a file to be written which contained the current iptables rules.
Unfortunately the result of this error left the iptables ruleset empty on
iptables-restore after a reboot today, hence the classification of this bug
as a security issue.
-- System Information:
Debian Release: 8.7
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
This isn't the system on which I installed netfilter-persistent, but
that's irrelevant - they're both up-to-date Debian Jessie on AMD.
PATCH - the same is needed for 25-ip6tables
--- 15-ip4tables~ 2016-01-02 21:18:13.000000000 +0000
+++ 15-ip4tables 2017-03-09 18:22:39.206872371 +0000
@@ -20,7 +20,7 @@
if [ ! -f /etc/iptables/rules.v4 ]; then
echo "Warning: skipping IPv4 (no rules to load)"
else
- iptables-restore < /etc/iptables/rules.v4 2> /dev/null
+ /sbin/iptables-restore < /etc/iptables/rules.v4 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
@@ -37,7 +37,7 @@
elif [ -x /sbin/iptables-save ]; then
touch /etc/iptables/rules.v4
chmod 0640 /etc/iptables/rules.v4
- iptables-save > /etc/iptables/rules.v4
+ /sbin/iptables-save > /etc/iptables/rules.v4
if [ $? -ne 0 ]; then
rc=1
fi
