:: Re: [DNG] Upgrade to Beowulf: iptab…
Page principale
Supprimer ce message
Répondre à ce message
Auteur: fraser kendall
Date:  
À: dng
Sujet: Re: [DNG] Upgrade to Beowulf: iptables
On Mon, 20 Jul 2020 21:10:08 -0400
Hendrik Boom <hendrik@???> wrote:

> And did iptables work after the whole upgrade was finished?

Yes. My existing ruleset was replaced with the default (permissive)
ruleset; thus by definition, iptables worked as intended by the
developers. However, as a manual iptables-restore command was
required to restore the previous protective ruleset, my considered
answer is 'no'.
> Did it still work as you intended?

No. There is a warning that there are two rulesets in place, the
restored set (protective) and a second one, an 'iptables-legacy'
ruleset. Both rulesets are the same. Installation of the
iptables-persistent package installs rulesets from empty locations.

# apt-get update && apt-get install iptables-persistent

[...]
The following additional packages will be installed:
netfilter-persistent
The following NEW packages will be installed:
iptables-persistent netfilter-persistent
[...]
....TUI menu item offering to save existing ruleset but the [Yes] [No]
option has been disabled
[...]
Loading netfilter rules...run-parts:
executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Warning: skipping IPv4 (no rules to load)
run-parts:
executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Warning: skipping IPv6 (no rules to load)
done.

The debian wiki gives the following 2 commands for setting up
iptables-persistent which I understood to be required for the saved
rules to be loaded at boot

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

I have no confidence that installing iptables-persistent, will enforce
the protective ruleset on reboot. I have added four lines to the
eth0 entry in /etc/network/interfaces

pre-up iptables-restore < /etc/network/iptables.rules
pre-up ip6tables-restore < /etc/network/ip6tables.rules
pre-up iptables -L
pre-up ip6tables -L

Issuing #ifdown eth0 && ifup eth0
confirms that they should be. However, this is a workaround.

We are offered an option to preserve existing versions of several files
during an upgrade that tries to replace them. The option is
therefore readily available to avoid replacing an existing
iptables* ruleset. Another option might be to deploy iptables-apply to
rollback any changes to an existing ruleset by default (i.e. in the
absence of confirmation) as part of the upgrade.

Best wishes

fraser