On 12/30/19 3:54 PM, Andrei POPESCU wrote:
> Please show us the full output of
>
> systemctl status YOUR_SERVICE_UNIT
root@test:~# systemctl status ipfilter
● ipfilter.service - packetFilter
Loaded: loaded (/usr/lib/systemd/system/ipfilter.service; enabled;
vendor preset: enabled)
Active: inactive (dead) since Mon 2019-12-30 16:23:33 MST; 1min 41s ago
Process: 393 ExecStart=/etc/ipfilterfiles/ipfilter.sh on (code=exited,
status=0/SUCCESS)
Process: 1520 ExecStop=/etc/ipfilterfiles/ipfilter.sh off
(code=exited, status=0/SUCCESS)
Main PID: 393 (code=exited, status=0/SUCCESS)
Dec 30 16:23:00 test ipfilter.sh[1520]: [ OK ] Saved HTTP_BLK to
/etc/ipfilterfiles/savedHTTP_BLK.sh
Dec 30 16:23:00 test ipfilter.sh[1520]: [ OK ] Saved POP_BLK to
/etc/ipfilterfiles/savedPOP_BLK.sh
Dec 30 16:23:00 test ipfilter.sh[1520]: [ OK ] Saved NTP_BLK to
/etc/ipfilterfiles/savedNTP_BLK.sh
Dec 30 16:23:01 test ipfilter.sh[1520]: [ OK ] Saved SMTP_BLK to
/etc/ipfilterfiles/savedSMTP_BLK.sh
Dec 30 16:23:01 test ipfilter.sh[1520]: [ OK ] Accepting all slsware
Dec 30 16:23:33 test root[1751]: packetFilter: off (ACCEPT all) at Mon
30 Dec 2019 04:23:33 PM MST
Dec 30 16:23:33 test ipfilter.sh[1520]: [ OK ] Accepting all input
Dec 30 16:23:33 test ipfilter.sh[1520]: [ OK ] Accepting and
masquerading all routing
Dec 30 16:23:33 test ipfilter.sh[1520]: [ OK ] Accepting all output
Dec 30 16:23:33 test systemd[1]: ipfilter.service: Succeeded.
> immediately after boot and also explain what makes you think the service
> is not actually running.
root@test:~# pfil status
Running on host: test.slsware.net
--- FILTER table---
Chain INPUT (policy ACCEPT 3 packets, 108 bytes)
num pkts bytes target prot opt in out source
destination
1 58 5941 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
2 5 380 ACCEPT all -- * * 216.17.134.0/24
0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 8 packets, 488 bytes)
num pkts bytes target prot opt in out source
destination
1 52 7719 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22
2 5 380 ACCEPT all -- * * 0.0.0.0/0
216.17.134.0/24
--- NAT table---
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
iptaples.sh is big shell script I use on all my computers. pfil (packet
filter) is an alias to save a little typing.
Those steps it goes through in the systemctl status command are some of
the steps it goes through when I stop it by hand (pfil stop). This looks
like it's been started, then immediately stopped. The 'pfil status'
display's the state of the iptables firewall.
If it were running, there'd be many lines from 'pfil status' (attached
if you're interested).
The service file:
root@test:/lib/systemd/system# cat /usr/lib/systemd/system/ipfilter.service
[Unit]
Description=packetFilter
[Service]
ExecStart=/etc/ipfilterfiles/ipfilter.sh on
ExecStop=/etc/ipfilterfiles/ipfilter.sh off
[Install]
WantedBy=multi-user.target
And how did that file get in /usr? When I wrote it, it was in
/lib/systemd/system.
And this all on the RPi4.
--
Glenn English
Turning it on:
root@test:/lib/systemd/system# pfil on
Running on host: test.slsware.net
Initializing the netfilter chains
[ OK ] Accepting all slsware
[ OK ] Netfilter chains initialized
Loading the netfilter chains for outside IP 216.17.134.204
[ OK ] TCP SMTP (25) on the local nets
[ OK ] TCP SMTP (25) from almost anywhere
[ OK ] TCP POP3 (110, 995) from anywhere
[ OK ] TCP IMAP (143, 993) from anywhere
[ OK ] UDP DCC (6277) from anywhere
[ OK ] TCP HTTP (80) from anywhere
[ OK ] TCP SSH (22) on the local nets
[ OK ] TCP FTP (21) from anywhere
[ OK ] TCP HTTPS (443) from anywhere
[ OK ] TCP RSYNC (873) on the local nets
[ OK ] TCP AUTH (113) on the local nets
[ OK ] TCP SMTP on port 537 from anywhere
[ OK ] UDP RIP-2 (520) on 224.0.0.9 -- the IANA assignment
[ OK ] UDP NTP (123) from anywhere
[ OK ] UDP TRACEROUTE (33434) from anywhere
[ OK ] UDP and TCP DNS (53) from anywhere
[ OK ] Netfilter chains loaded
Enabling the netfilter chains
[ OK ] Netfilter chains enabled
Starting other iptables daemons (if any)
Loading the saved BLK_CHAINS
[ OK ] reloaded from /etc/ipfilterfiles/savedIDS_BLK.sh
[ OK ] reloaded from /etc/ipfilterfiles/savedDNS_BLK.sh
[ OK ] reloaded from /etc/ipfilterfiles/savedFTP_BLK.sh
[ OK ] reloaded from /etc/ipfilterfiles/savedHTTP_BLK.sh
[ OK ] reloaded from /etc/ipfilterfiles/savedPOP_BLK.sh
[ OK ] reloaded from /etc/ipfilterfiles/savedNTP_BLK.sh
[ OK ] reloaded from /etc/ipfilterfiles/savedSMTP_BLK.sh
Status from a running firewall:
root@test:/lib/systemd/system# pfil status
Running on host: test.slsware.net
--- FILTER table---
Chain INPUT (policy DROP 2 packets, 72 bytes)
num pkts bytes target prot opt in out source
destination
1 239 15373 ACCEPT all -- eth0 * 216.17.134.0/24
0.0.0.0/0
2 0 0 ACCEPT all -- lo * 127.0.0.1
0.0.0.0/0
3 0 0 ACCEPT all -- lo * 216.17.134.204
0.0.0.0/0
4 0 0 DROP 47 -- * * 0.0.0.0/0
0.0.0.0/0
5 0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID reject-with icmp-port-unreachable
6 2 72 IDS_BLK all -- * * 0.0.0.0/0
0.0.0.0/0
7 0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
8 0 0 ACCEPT all -f * * 0.0.0.0/0
0.0.0.0/0
9 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x17/0x02
10 2 72 NUISANCES all -- * * 0.0.0.0/0
0.0.0.0/0
11 2 72 SPOOFQ all -- * * 0.0.0.0/0
0.0.0.0/0
12 0 0 UDPIN udp -- * * 0.0.0.0/0
0.0.0.0/0
13 0 0 TCPIN tcp -- * * 0.0.0.0/0
0.0.0.0/0
14 2 72 ICMP_CHK icmp -- * * 0.0.0.0/0
0.0.0.0/0
15 0 0 IGMP_CHK 2 -- * * 0.0.0.0/0
0.0.0.0/0
16 0 0 DL_INPUT all -- * * 0.0.0.0/0
0.0.0.0/0
17 0 0 all -- * * 0.0.0.0/0
0.0.0.0/0 /* Loaded Mon 30 Dec 2019 04:52:31 PM MST */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 DL_FORWARD all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 258 28146 ACCEPT all -- * eth0 0.0.0.0/0
216.17.134.0/24
2 0 0 ACCEPT all -- * lo 0.0.0.0/0
127.0.0.1
3 0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID reject-with icmp-port-unreachable
4 2 72 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
5 0 0 ACCEPT all -f * * 0.0.0.0/0
0.0.0.0/0
6 7 532 UDPOUT udp -- * * 0.0.0.0/0
0.0.0.0/0
7 0 0 TCPOUT tcp -- * * 0.0.0.0/0
0.0.0.0/0
8 0 0 ICMP_CHK icmp -- * * 0.0.0.0/0
0.0.0.0/0
9 0 0 IGMP_CHK 2 -- * * 0.0.0.0/0
0.0.0.0/0
10 0 0 DL_OUTPUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain IDS_BLK (1 references)
num pkts bytes target prot opt in out source
destination
1 2 72 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 /* INFO Saved 2019-12-30--04:30 PM */
Chain NUISANCES (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:12000:12050
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:12000:12050
3 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:50000:50100
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:50000:50100
5 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:10080
6 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:10080
7 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:3000
8 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3000
9 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5432
10 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5432
11 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:2703
12 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2703
13 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:33434
14 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:33434
15 0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:2601
16 0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2601
17 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:1024:65535
18 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpts:1024:65535
19 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:23
20 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:23
21 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:137
22 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:137
23 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:138
24 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:138
25 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:139
26 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
27 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:427
28 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:427
29 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
30 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
31 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:2222
32 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2222
33 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1433
34 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1433
35 0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1434
36 0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1434
Chain ICMP_CHK (2 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT icmp -- * * 0.0.0.0/0
224.0.0.0/4
2 0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 5 reject-with icmp-port-unreachable
3 2 72 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
Chain IGMP_CHK (2 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT 2 -- * * 0.0.0.0/0
0.0.0.0/0
Chain SPOOFQ (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT all -- * * 216.17.134.0/24
0.0.0.0/0
2 0 0 ACCEPT all -- * * 172.16.0.0/24
0.0.0.0/0
3 0 0 ACCEPT all -- * * 10.0.0.0/8
0.0.0.0/0
4 0 0 DL_SPOOFQ all -- * * 10.0.0.0/8
0.0.0.0/0
5 0 0 DL_SPOOFQ all -- * * 172.16.0.0/12
0.0.0.0/0
6 0 0 DL_SPOOFQ all -- * * 192.168.0.0/16
0.0.0.0/0
7 0 0 DL_SPOOFQ all -- * * 127.0.0.0/8
0.0.0.0/0
Chain DL_SPOOFQ (4 references)
num pkts bytes target prot opt in out source
destination
1 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix "pfil DL_SPOOFQ "
2 0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain TCPIN (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT tcp -- * * 216.17.134.0/24
216.17.134.204 tcp spts:1024:65535 dpt:25
2 0 0 SMTP_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:25
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpt:25
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spt:25 dpt:25
5 0 0 POP_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:110
6 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpt:110
7 0 0 POP_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:995
8 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpt:995
9 0 0 POP_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:143
10 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpt:143
11 0 0 POP_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:993
12 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpt:993
13 0 0 HTTP_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:80
14 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpt:80
15 0 0 ACCEPT tcp -- * * 216.17.134.0/24
216.17.134.204 tcp spts:1024:65535 dpt:22
16 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpt:22
17 0 0 FTP_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:21
18 0 0 FTP_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:990
19 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpt:21
20 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpt:990
21 0 0 FTP_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpts:12000:12050
22 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpts:12000:12050
23 0 0 HTTP_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:443
24 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpt:443
25 0 0 ACCEPT tcp -- * * 216.17.134.0/24
216.17.134.204 tcp spts:1024:65535 dpt:873
26 0 0 ACCEPT tcp -- * * 216.17.134.0/24
216.17.134.204 tcp spts:1024:65535 dpt:113
27 0 0 SMTP_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:537
28 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp spts:1024:65535 dpt:537
29 0 0 DNS_BLK tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:53
30 0 0 ACCEPT tcp -- * * 0.0.0.0/0
216.17.134.204 tcp dpt:53
Chain TCPOUT (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT tcp -- * * 216.17.134.204
0.0.0.0/0
Chain UDPIN (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 ACCEPT udp -- * * 0.0.0.0/0
216.17.134.204 udp spts:1024:65535 dpt:6277
2 0 0 ACCEPT udp -- * * 0.0.0.0/0
224.0.0.9 udp spt:520 dpt:520
3 0 0 NTP_BLK udp -- * * 0.0.0.0/0
216.17.134.204 udp dpt:123
4 0 0 ACCEPT udp -- * * 0.0.0.0/0
216.17.134.204 udp spts:1024:65535 dpt:123
5 0 0 ACCEPT udp -- * * 0.0.0.0/0
216.17.134.204 udp spt:123 dpt:123
6 0 0 ACCEPT udp -- * * 0.0.0.0/0
216.17.134.204 udp dpt:33434
7 0 0 ACCEPT udp -- * * 0.0.0.0/0
216.17.134.204 udp spt:53 dpt:53
8 0 0 DNS_BLK udp -- * * 0.0.0.0/0
216.17.134.204 udp dpt:53
9 0 0 ACCEPT udp -- * * 0.0.0.0/0
216.17.134.204 udp spts:1024:65535 dpt:53
10 0 0 REJECT udp -- * * 0.0.0.0/0
255.255.255.255 udp spt:68 dpt:67 reject-with icmp-port-unreachable
Chain UDPOUT (1 references)
num pkts bytes target prot opt in out source
destination
1 7 532 ACCEPT udp -- * * 216.17.134.204
0.0.0.0/0
Chain POP_BLK (4 references)
num pkts bytes target prot opt in out source
destination
1 0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 /* INFO Saved 2019-12-30--04:30 PM */
Chain SMTP_BLK (2 references)
num pkts bytes target prot opt in out source
destination
1 0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 /* INFO Saved 2019-12-30--04:30 PM */
Chain FTP_BLK (3 references)
num pkts bytes target prot opt in out source
destination
1 0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 /* INFO Saved 2019-12-30--04:30 PM */
Chain NTP_BLK (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 /* INFO Saved 2019-12-30--04:30 PM */
Chain DNS_BLK (2 references)
num pkts bytes target prot opt in out source
destination
1 0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 /* INFO Saved 2019-12-30--04:30 PM */
Chain HTTP_BLK (2 references)
num pkts bytes target prot opt in out source
destination
1 0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 /* INFO Saved 2019-12-30--04:30 PM */
Chain DL_INPUT (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix "pfil DL_INPUT "
2 0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain DL_OUTPUT (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix "pfil DL_OUTPUT "
2 0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain DL_FORWARD (1 references)
num pkts bytes target prot opt in out source
destination
1 0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix "pfil DL_FORWARD "
2 0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
--- NAT table---
Chain PREROUTING (policy ACCEPT 4 packets, 508 bytes)
num pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 4 packets, 508 bytes)
num pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 12 packets, 885 bytes)
num pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 12 packets, 885 bytes)
num pkts bytes target prot opt in out source
destination
