On Mon, 20 Jul 2020 21:10:08 -0400 Hendrik Boom <hend...@topoi.pooq.com> wrote:
> And did iptables work after the whole upgrade was finished? Yes. My existing ruleset was replaced with the default (permissive) ruleset; thus by definition, iptables worked as intended by the developers. However, as a manual iptables-restore command was required to restore the previous protective ruleset, my considered answer is 'no'. > Did it still work as you intended? No. There is a warning that there are two rulesets in place, the restored set (protective) and a second one, an 'iptables-legacy' ruleset. Both rulesets are the same. Installation of the iptables-persistent package installs rulesets from empty locations. # apt-get update && apt-get install iptables-persistent [...] The following additional packages will be installed: netfilter-persistent The following NEW packages will be installed: iptables-persistent netfilter-persistent [...] ....TUI menu item offering to save existing ruleset but the [Yes] [No] option has been disabled [...] Loading netfilter rules...run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start Warning: skipping IPv4 (no rules to load) run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start Warning: skipping IPv6 (no rules to load) done. The debian wiki gives the following 2 commands for setting up iptables-persistent which I understood to be required for the saved rules to be loaded at boot iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6 I have no confidence that installing iptables-persistent, will enforce the protective ruleset on reboot. I have added four lines to the eth0 entry in /etc/network/interfaces pre-up iptables-restore < /etc/network/iptables.rules pre-up ip6tables-restore < /etc/network/ip6tables.rules pre-up iptables -L pre-up ip6tables -L Issuing #ifdown eth0 && ifup eth0 confirms that they should be. However, this is a workaround. We are offered an option to preserve existing versions of several files during an upgrade that tries to replace them. The option is therefore readily available to avoid replacing an existing iptables* ruleset. Another option might be to deploy iptables-apply to rollback any changes to an existing ruleset by default (i.e. in the absence of confirmation) as part of the upgrade. Best wishes fraser _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
