Hi! > Can you show your rules?
Sure. ########## *filter # Default policies :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT # Accept all loopback traffic -A INPUT -i lo -j ACCEPT # Drop spoofed packets -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP -A INPUT -s 10.0.0.0/8 -j DROP -A INPUT -s 172.16.0.0/12 -j DROP -A INPUT -s 192.168.0.0/16 -j DROP -A INPUT -s 224.0.0.0/4 -j DROP # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept ICMP -A INPUT -p icmp -j ACCEPT # Applications -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT COMMIT ########## *filter # Default policies :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT # Accept all loopback traffic -A INPUT -i lo -j ACCEPT # Drop spoofed packets -A INPUT ! -i lo -s ::1 -j DROP -A INPUT ! -i lo -d ::1 -j DROP # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept ICMPv6 -A INPUT -p icmpv6 -j ACCEPT # Applications -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT COMMIT ########## > do you have a custom kernel? No, both machines are pretty boring. They have seperate /var (nodev), /tmp (nodev,nosuid), and /home (nodev) partitions; otherwise, they have pretty generic Debian installations, one of them running under KVM, the other one running on bare metal. > Can you run `lsmod` when the restore fails and when it works? Can't do that when it fails because it only fails during boot. When it works: ########## Module Size Used by nf_conntrack_ipv4 16384 1 xt_tcpudp 16384 6 nf_defrag_ipv4 16384 1 nf_conntrack_ipv4 nf_conntrack_ipv6 20480 1 nf_defrag_ipv6 36864 1 nf_conntrack_ipv6 xt_conntrack 16384 2 nf_conntrack 114688 3 nf_conntrack_ipv6,nf_conntrack_ipv4,xt_conntrack ip6table_filter 16384 1 ip6_tables 28672 1 ip6table_filter iptable_filter 16384 1 sb_edac 24576 0 edac_core 57344 1 sb_edac crct10dif_pclmul 16384 0 crc32_pclmul 16384 0 cirrus 24576 1 ghash_clmulni_intel 16384 0 ttm 98304 1 cirrus drm_kms_helper 155648 1 cirrus drm 360448 4 cirrus,ttm,drm_kms_helper sg 32768 0 ppdev 20480 0 virtio_balloon 16384 0 evdev 24576 3 serio_raw 16384 0 pcspkr 16384 0 joydev 20480 0 parport_pc 28672 0 parport 49152 2 parport_pc,ppdev acpi_cpufreq 20480 0 button 16384 0 ip_tables 24576 1 iptable_filter x_tables 36864 6 ip_tables,iptable_filter,xt_tcpudp,ip6table_filter,xt_conntrack,ip6_tables autofs4 40960 2 ext4 585728 4 crc16 16384 1 ext4 jbd2 106496 1 ext4 crc32c_generic 16384 0 fscrypto 28672 1 ext4 ecb 16384 0 mbcache 16384 5 ext4 hid_generic 16384 0 usbhid 53248 0 hid 122880 2 hid_generic,usbhid sr_mod 24576 0 cdrom 61440 1 sr_mod sd_mod 45056 6 ata_generic 16384 0 virtio_scsi 20480 5 crc32c_intel 24576 0 aesni_intel 167936 1 ata_piix 36864 0 aes_x86_64 20480 1 aesni_intel glue_helper 16384 1 aesni_intel lrw 16384 1 aesni_intel gf128mul 16384 1 lrw ablk_helper 16384 1 aesni_intel cryptd 24576 3 ablk_helper,ghash_clmulni_intel,aesni_intel libata 249856 2 ata_piix,ata_generic psmouse 135168 0 floppy 69632 0 scsi_mod 225280 5 sd_mod,virtio_scsi,libata,sr_mod,sg uhci_hcd 45056 0 ehci_hcd 81920 0 virtio_pci 24576 0 virtio_ring 24576 3 virtio_scsi,virtio_balloon,virtio_pci i2c_piix4 24576 0 virtio 16384 3 virtio_scsi,virtio_balloon,virtio_pci e1000 143360 0 usbcore 249856 3 usbhid,ehci_hcd,uhci_hcd usb_common 16384 1 usbcore ########## > Regarding your last paragraph, rules can be created before the interface > is up, or even present. Okay. I'm just trying to understand what has changed between jessie and stretch. (Right now, I'm using an /etc/network/if-pre-up.d/iptables script instead of netfilter-persistent; this works smoothly. Still, if netfilter-persistent exists, I think it should work as intended.) Best, David
