1

Topic: iptables fails

i've tested this on a few boxes and always get the same thing when starting iptables.

Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: mangle filter             [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules: iptables-restore: line 44 failed    [FAILED]


here is the iptables config that iredmail sets up..

#
# Sample iptables rules. It should be localted at:
#   /etc/sysconfig/iptables
#
# Shipped within iRedMail project:
#   * http://iRedMail.googlecode.com/
#

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Keep state.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# http/https, smtp/smtps, pop3/pop3s, imap/imaps, ssh
-A INPUT -p tcp -m multiport --dport 80,443,25,465,110,995,143,993,587,465,22 -j                                                                              ACCEPT

# Loop device.
-A INPUT -i lo -j ACCEPT

# http/https
#-A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT

# smtp/smtps
#-A INPUT -p tcp -m multiport --dport 25,465 -j ACCEPT

# pop3/pop3s
#-A INPUT -p tcp -m multiport --dport 110,995 -j ACCEPT

# imap/imaps
#-A INPUT -p tcp -m multiport --dport 143,993 -j ACCEPT

# ldap/ldaps
#-A INPUT -p tcp -m multiport --dport 389,636 -j ACCEPT

# ftp.
#-A INPUT -p tcp -m multiport --dport 21,20 -j ACCEPT

# ssh
#-A INPUT -p tcp --dport 22 -j ACCEPT

COMMIT

2

Re: iptables fails

Which linux distribution and what vrrsion of iRedMail do you use?

3

Re: iptables fails

Stable version (0.4.0)
CentOS 5

4

Re: iptables fails

No issue here.

Did you modify it yourself?

5

Re: iptables fails

nope.  it does it on two fresh builds.  i first saw it when the iredmail script asked if i wanted to update iptables [Y/n] (or something like that). so after the script finished i rebooted and sure enough... same error.

6

Re: iptables fails

< Question > Would you like to use iptables rules shipped within iRedMail now?
< Question > File: /etc/sysconfig/iptables. [Y|n]y
< INFO > Copy iptables sample rules: /etc/sysconfig/iptables.
< Question > Restart iptables now? [y|N]y
< INFO > Restarting iptables.
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: mangle filter             [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules: iptables-restore: line 44 failed     [FAILED]

7

Re: iptables fails

Can iptbles start after you reboot system?

8

Re: iptables fails

nope.  i reboot and then run /etc/init.d/iptables restart and get the error in the first post.

9

Re: iptables fails

Does CentOS use Bash? I never used CentOS so I don't know ... well, if it does use Bash then try putting

#!/bin/bash -x

in the first line which will show you any line executed as netfilter gets to see it. Error Messages are usually not prepended with a + at the beginning of a line.

10

Re: iptables fails

Suno Ano wrote:

Does CentOS use Bash?

Yes.

It's strange, we havn't received any issue about iptables before, and i can't find out why.

Could you please try to debug it yourself?

11

Re: iptables fails

ZhangHuangbin wrote:
Suno Ano wrote:

Does CentOS use Bash?

Yes.

It's strange, we havn't received any issue about iptables before, and i can't find out why.

Could you please try to debug it yourself?


actually, i see other people have had this issue too but the site is in another language that i can't read.

i'll keep working on it.

12

Re: iptables fails

what did the run with #!/bin/bash -x return?

13

Re: iptables fails

testbot wrote:

actually, i see other people have had this issue too but the site is in another language that i can't read.

Could you please share the link?

14

Re: iptables fails

i translated it using google and it's no help (http://www.google.com/url?sa=t&sour … 9GN_Y02qCQ).


the problem is this line:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

when i try to add that using iptables i get the following:
#>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: Unknown error 4294967295

15

Re: iptables fails

oh crap!  i forgot to mention i'm using openvz kernel.  it doesn't load ipt_state.  i'll try to get it sorted later.

16 (edited by Suno Ano 2009-06-29 01:19:19)

Re: iptables fails

Well, I am a heavy OpenVZ user as well. I do all the firewalling on the HN (Hardware Node) and not within VEs (Virtual Environments). In other words, the VEs are protected from the HN and thus do not need firewalling themselves.

In order to do so, I use a script called packet_filter on the HN ... see http://sunoano.name/ws/public_xhtml/fir … is_applied

However, if for some reason, you need/want to also do firewalling within VEs, http://wiki.openvz.org/Setting_up_an_iptables_firewall might be worth a look (see bottom of that page).


Bottome Line:
The way I see it, the easiest solution for iRedMail would be to determine if it is going to be installed within an OpenVZ environment or not, and then act accordingly e.g. maybe disabling  that portion of the iptables rules that causes the issue. Bottom line is, this is no iRedMail issue but rather an OpenVZ specific problem.

17

Re: iptables fails

steps to resolve this issue when running iredmail on OpenVZ

ssh into the OpenVZ host
edit vz.conf
#Reference:
vi /etc/vz/vz.conf

add ipt_state & ip_conntract to IPTABLES=
#Reference:
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state ip_conntrack"

exit ssh

ssh into OpenVZ client machine
vi /etc/sysconfig/iptables-config
change IPTABLES_MODULES="" to #IPTABLES_MODULES=""
copy attached script to /opt/scripts/
sh /opt/scripts/firewallset.sh

done

18

Re: iptables fails

attached sript? I am not blind am I? smile

19 (edited by testbot 2009-07-14 08:27:26)

Re: iptables fails

hmm... didn't attach for some reason.  oh well, here it is.  i put this in a script because if someone is using putty or something like that and you try to paste iptable commands from a clipboard you can lock yourself out of your own box.  not sure if that's a bug or not.  if someone is using OpenVZ and that happens they can go into the host box and turn iptables off the client box.

i think it's safest if someone makes a script vi style or something to run these if they're using ssh and don't want to type all of the following.

edit: removed all of the chains before applying new rules.  errors for nat are common.

create a file using vi
#>vi ./setfirewallrules.sh
copy the following into the file
make it exicutable
#>chmod +x ./setfirewallrules.sh
run
#>./setfirewallrules.sh

echo "Stopping and flushing firewall..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
echo "Setting new rules..."
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 80,443,25,465,110,995,143,993,587,465,22 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
echo "Saving iptables..."
/etc/init.d/iptables save
echo "Restarting.."
/etc/init.d/iptables restart