Re: [Dorset] Making iptables Entries Persistent
On Monday, 20 July 2020 09:28:12 BST Ralph Corderoy wrote: > ping(8) sends an ICMP ECHO packet. ssh(1) establishes a TCP connection. > They're both network protocols, but different ones; see /etc/protocols > for their numbers. > > Something was hindering the ECHO packet round trip. I think we knew what that something was, but I didn't know exactly why, The device that wouldn't accept the ping is the Webserver running the nodogsplash Captive Portal software, which installs a couple of screenfulls of iptables rules. The conclusion was that it was one or more of these rules that were preventing the pings from responding. As I said, I don't think that being unable to ping that device is too much of a hardship if everything else works. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-08-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Making iptables Entries Persistent
Hi Terry, > The solution was put forward to allow a particular device to be pinged > when logged into the network using the VPN solution. For some reason > it refuses pings even though it can be accessed using ssh once the VPN > connection has been made. ping(8) sends an ICMP ECHO packet. ssh(1) establishes a TCP connection. They're both network protocols, but different ones; see /etc/protocols for their numbers. Something was hindering the ECHO packet round trip. -- Cheers, Ralph. -- Next meeting: Online, Jitsi, Tuesday, 2020-08-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Making iptables Entries Persistent
On Monday, 20 July 2020 09:05:31 BST Ralph Corderoy wrote: > > Is there a right way? > > Go with what's simplest which is correct and suffices. :-) Thanks for all the responses; I've learned a lot. As it happens, this query has now been overtaken by events. The solution was put forward to allow a particular device to be pinged when logged into the network using the VPN solution. For some reason it refuses pings even though it can be accessed using ssh once the VPN connection has been made. Adding this particular iptables rule allowed the ping to work but unfortunately prevented login to some other devices ;-( Since the system works OK apart from this one issue, I decided the 'good enough is good enough' and decided to save what little grey hair I have left by living with it. I'll have to document the drop-off somehow, so that it doesn't confuse someone in the future, but I feel that is the best way forward. -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-08-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Making iptables Entries Persistent
Hi Terry,
> throws up the idea of using iptables-save/iptables-restore but also
> iptables-persistent.
To add to what others have said, iptables-persistent looks like a
wrapper around iptables-{save,restore}.
https://salsa.debian.org/debian/iptables-persistent/-/blob/debian/plugins/15-ip4tables
> Is there a right way?
Go with what's simplest which is correct and suffices. :-)
--
Cheers, Ralph.
--
Next meeting: Online, Jitsi, Tuesday, 2020-08-04 20:00
Check to whom you are replying
Meetings, mailing list, IRC, ... http://dorset.lug.org.uk
New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Making iptables Entries Persistent
On 19/07/2020 20:10, Patrick Wigmore wrote: > On Sat, 18 Jul 2020 18:17:38 +0100, Terry Coles wrote: >> Hi, >> >> It has been suggested that I add an iptables rule into some devices >> and make it persistent by adding the rule to /etc/rc.local. >> >> I naively thought that iptables rules were persistent, but a quick >> google throws up the idea of using iptables-save/iptables-restore >> but also iptables- persistent. >> >> Is there a right way? > I wanted to know the answer to this a while ago, and I concluded that > it doesn't matter enormously. As far as I could tell, it's a bring- > your-own-persistence party and there is no one best way of doing it. > > It seems as though iptables-based firewall utilities are as numerous > as text editors and desktop environments. > > Fundamentally, you've just got to make sure that, at some sensible > moment during start-up, some commands; none in particular; will get > run that will create the rule for you. iptables-restore is one way to > do that, which might be helpful, so is iptables-persistent. Or, you > could just as well run the commands that you originally used to create > the rule. > > My solution was to write an init script that created my iptables > rules, with the rules I wanted hard-coded into the script in a manner > that was easily-editable. I thought that was a relatively neat way of > doing it, but it's certainly not the only way. I might not have done > it that way if I only wanted to load one simple rule. > > (For systemd, I suppose you would write a systemd unit instead.) > > If you were going to invest a lot of time in writing rules or scripts, > nftables might be more futureproof than iptables. But for quick, > simple rules, I wouldn't worry about that too much. > > Patrick > Sounds interesting :) For my laptop and desktop I use Gufw, a GUI frontend for Ufw "Uncomplicated FireWall", which is itself based on iptables IIRC. But I guess the Pis don't run GUIs, so using Gufw would probably not be ideal (also the interface is rather unintuitive). Hamish signature.asc Description: OpenPGP digital signature -- Next meeting: Online, Jitsi, Tuesday, 2020-08-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Making iptables Entries Persistent
On Sat, 18 Jul 2020 18:17:38 +0100, Terry Coles wrote: > Hi, > > It has been suggested that I add an iptables rule into some devices > and make it persistent by adding the rule to /etc/rc.local. > > I naively thought that iptables rules were persistent, but a quick > google throws up the idea of using iptables-save/iptables-restore > but also iptables- persistent. > > Is there a right way? I wanted to know the answer to this a while ago, and I concluded that it doesn't matter enormously. As far as I could tell, it's a bring- your-own-persistence party and there is no one best way of doing it. It seems as though iptables-based firewall utilities are as numerous as text editors and desktop environments. Fundamentally, you've just got to make sure that, at some sensible moment during start-up, some commands; none in particular; will get run that will create the rule for you. iptables-restore is one way to do that, which might be helpful, so is iptables-persistent. Or, you could just as well run the commands that you originally used to create the rule. My solution was to write an init script that created my iptables rules, with the rules I wanted hard-coded into the script in a manner that was easily-editable. I thought that was a relatively neat way of doing it, but it's certainly not the only way. I might not have done it that way if I only wanted to load one simple rule. (For systemd, I suppose you would write a systemd unit instead.) If you were going to invest a lot of time in writing rules or scripts, nftables might be more futureproof than iptables. But for quick, simple rules, I wouldn't worry about that too much. Patrick -- Next meeting: Online, Jitsi, Tuesday, 2020-08-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
Re: [Dorset] Making iptables Entries Persistent
On 18/07/2020 18:17, Terry Coles wrote: > Hi, > > It has been suggested that I add an iptables rule into some devices and make > it persistent by adding the rule to /etc/rc.local. > > I naively thought that iptables rules were persistent, but a quick google > throws up the idea of using iptables-save/iptables-restore but also iptables- > persistent. > > Is there a right way? Hi Terry, I've personally used the iptables-save/iptable-restore method and see it used more often, but I have no idea whether it's been/being replaced with iptables-persistent. Perhaps either is suitable? Someone who knows more than me can probably provide a better answer. Hamish signature.asc Description: OpenPGP digital signature -- Next meeting: Online, Jitsi, Tuesday, 2020-08-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
[Dorset] Making iptables Entries Persistent
Hi, It has been suggested that I add an iptables rule into some devices and make it persistent by adding the rule to /etc/rc.local. I naively thought that iptables rules were persistent, but a quick google throws up the idea of using iptables-save/iptables-restore but also iptables- persistent. Is there a right way? -- Terry Coles -- Next meeting: Online, Jitsi, Tuesday, 2020-08-04 20:00 Check to whom you are replying Meetings, mailing list, IRC, ... http://dorset.lug.org.uk New thread, don't hijack: mailto:dorset@mailman.lug.org.uk
