Hello I was able to reproduce your problem setting iptables rules with hostnames on it (as netfilter-persistent runs before the network is up it can't resolv)
if that is not the problem can you please edit /usr/share/netfilter-persistent/plugins.d/15-ip4tables and edit the line #23 to make it look like this /sbin/iptables-restore --verbose < /etc/iptables/rules.v4 you can see the output running this command journalctl -u netfilter-persistent.service please send the log to this bug In cases like this one, I'm not sure how to resolve the issue. I really think the firewall rules should run before the network interfaces are up (I used to do pre-up iptables-restore in the past) thanks On Sat, Jul 15, 2017 at 12:12:34PM +0200, tmp...@dmus.eu wrote:
Hi!Can you show your rules?Sure. ########## *filter # Default policies :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT # Accept all loopback traffic -A INPUT -i lo -j ACCEPT # Drop spoofed packets -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP -A INPUT -s 10.0.0.0/8 -j DROP -A INPUT -s 172.16.0.0/12 -j DROP -A INPUT -s 192.168.0.0/16 -j DROP -A INPUT -s 224.0.0.0/4 -j DROP # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept ICMP -A INPUT -p icmp -j ACCEPT # Applications -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT COMMIT ########## *filter # Default policies :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT # Accept all loopback traffic -A INPUT -i lo -j ACCEPT # Drop spoofed packets -A INPUT ! -i lo -s ::1 -j DROP -A INPUT ! -i lo -d ::1 -j DROP # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept ICMPv6 -A INPUT -p icmpv6 -j ACCEPT # Applications -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT COMMIT ##########do you have a custom kernel?No, both machines are pretty boring. They have seperate /var (nodev), /tmp (nodev,nosuid), and /home (nodev) partitions; otherwise, they have pretty generic Debian installations, one of them running under KVM, the other one running on bare metal.Can you run `lsmod` when the restore fails and when it works?Can't do that when it fails because it only fails during boot. When it works: ########## Module Size Used by nf_conntrack_ipv4 16384 1 xt_tcpudp 16384 6 nf_defrag_ipv4 16384 1 nf_conntrack_ipv4 nf_conntrack_ipv6 20480 1 nf_defrag_ipv6 36864 1 nf_conntrack_ipv6 xt_conntrack 16384 2 nf_conntrack 114688 3 nf_conntrack_ipv6,nf_conntrack_ipv4,xt_conntrack ip6table_filter 16384 1 ip6_tables 28672 1 ip6table_filter iptable_filter 16384 1 sb_edac 24576 0 edac_core 57344 1 sb_edac crct10dif_pclmul 16384 0 crc32_pclmul 16384 0 cirrus 24576 1 ghash_clmulni_intel 16384 0 ttm 98304 1 cirrus drm_kms_helper 155648 1 cirrus drm 360448 4 cirrus,ttm,drm_kms_helper sg 32768 0 ppdev 20480 0 virtio_balloon 16384 0 evdev 24576 3 serio_raw 16384 0 pcspkr 16384 0 joydev 20480 0 parport_pc 28672 0 parport 49152 2 parport_pc,ppdev acpi_cpufreq 20480 0 button 16384 0 ip_tables 24576 1 iptable_filter x_tables 36864 6 ip_tables,iptable_filter,xt_tcpudp,ip6table_filter,xt_conntrack,ip6_tables autofs4 40960 2 ext4 585728 4 crc16 16384 1 ext4 jbd2 106496 1 ext4 crc32c_generic 16384 0 fscrypto 28672 1 ext4 ecb 16384 0 mbcache 16384 5 ext4 hid_generic 16384 0 usbhid 53248 0 hid 122880 2 hid_generic,usbhid sr_mod 24576 0 cdrom 61440 1 sr_mod sd_mod 45056 6 ata_generic 16384 0 virtio_scsi 20480 5 crc32c_intel 24576 0 aesni_intel 167936 1 ata_piix 36864 0 aes_x86_64 20480 1 aesni_intel glue_helper 16384 1 aesni_intel lrw 16384 1 aesni_intel gf128mul 16384 1 lrw ablk_helper 16384 1 aesni_intel cryptd 24576 3 ablk_helper,ghash_clmulni_intel,aesni_intel libata 249856 2 ata_piix,ata_generic psmouse 135168 0 floppy 69632 0 scsi_mod 225280 5 sd_mod,virtio_scsi,libata,sr_mod,sg uhci_hcd 45056 0 ehci_hcd 81920 0 virtio_pci 24576 0 virtio_ring 24576 3 virtio_scsi,virtio_balloon,virtio_pci i2c_piix4 24576 0 virtio 16384 3 virtio_scsi,virtio_balloon,virtio_pci e1000 143360 0 usbcore 249856 3 usbhid,ehci_hcd,uhci_hcd usb_common 16384 1 usbcore ##########Regarding your last paragraph, rules can be created before the interface is up, or even present.Okay. I'm just trying to understand what has changed between jessie and stretch. (Right now, I'm using an /etc/network/if-pre-up.d/iptables script instead of netfilter-persistent; this works smoothly. Still, if netfilter-persistent exists, I think it should work as intended.) Best, David
-- IRC: gfa GPG: 0X44BB1BA79F6C6333
signature.asc
Description: Digital Signature
