Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No iptables/ip6tables found at Debian 10 (2021/03/26) #83

Open
davidmarquesneves opened this issue Mar 26, 2021 · 8 comments
Open

No iptables/ip6tables found at Debian 10 (2021/03/26) #83

davidmarquesneves opened this issue Mar 26, 2021 · 8 comments

Comments

@davidmarquesneves
Copy link

In line 75 of "environment" usually at /usr/share/arno-iptables-firewall/ changes from

ipset) path="/usr/sbin/" ;;

to

ipset|iptables|ip6tables) path="/usr/sbin/" ;;

Check whether a certain command is available

check_command()
{
local cmd path IFS

IFS=' '
for cmd in $; do
case "$cmd" in
/) path="" ;;
ip|tc|modprobe|sysctl) path="/sbin/" ;;
sed|cat|date|uname) path="/bin/" ;;
ipset|iptables|ip6tables) path="/usr/sbin/" ;;
*) path="/usr/bin/" ;;
esac

if [ -x "$path$cmd" ]; then
  return 0
fi

if [ -n "$(which "$cmd" 2>/dev/null)" ]; then
  return 0
fi

done

return 1
}
@abelbeck
Copy link
Contributor

@davidmarquesneves : Adding |iptables|ip6tables to the case only adds "hints" ... as long as PATH contains /usr/sbin (which sudo should do) this sanity check should work without adding extra "hints".

The which command follows the PATH variable. What is your:

sudo echo "$PATH"

@arnova
Copy link
Contributor

arnova commented Mar 29, 2021

And what's the AIF version you're using? I have 2.1.1 running on several Debian 10 without any issues.

@davidmarquesneves
Copy link
Author

And what's the AIF version you're using? I have 2.1.1 running on several Debian 10 without any issues.

arno-iptables-firewall, version 2.0.3-2, from Debian repos.

@davidmarquesneves
Copy link
Author

echo "$PATH"
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

BUT...
Not using sudo, just "sudo -" .

@abelbeck
Copy link
Contributor

echo "$PATH"
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

The AIF code should work as-is then, which iptables should output /usr/sbin/iptables

@davidmarquesneves
Copy link
Author

echo "$PATH"
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

The AIF code should work as-is then, which iptables should output /usr/sbin/iptables

Exactly.
In root shell, which iptables output none.

I'm investigating some about iptables-legacy VS. iptables-nft

@abelbeck
Copy link
Contributor

@davidmarquesneves : One data point, my custom Linux distro has:

ls -l /usr/sbin/iptables*

lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-restore -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-save -> xtables-legacy-multi

but we build iptables with --disable-nftables (Debian does not)

Possibly you don't have the /usr/sbin/iptables -> xtables-legacy-multi symlink ? Maybe there is a Debian option to choose between "legacy" and "nft" or set the appropriate symlinks ?

@davidmarquesneves
Copy link
Author

@davidmarquesneves : One data point, my custom Linux distro has:

ls -l /usr/sbin/iptables*

lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy-restore -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-legacy-save -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-restore -> xtables-legacy-multi
lrwxrwxrwx    1 root     root            20 Mar 26 15:21 /usr/sbin/iptables-save -> xtables-legacy-multi

but we build iptables with --disable-nftables (Debian does not)

Possibly you don't have the /usr/sbin/iptables -> xtables-legacy-multi symlink ? Maybe there is a Debian option to choose between "legacy" and "nft" or set the appropriate symlinks ?

Exactly.

After....
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set iptables /usr/sbin/iptables-legacy

...AND A REBOOT is working fine again with the original environment file.

This specific server was installed using Debian 10.5 with iptables-nft (the default for buster) and works out of the box, but after some update the error discussed here appears (10.8 or 10.9, i can't answer..) stops working.

A clue:
service arno-iptables-firewall status WORKS, but no other options.

Problem solved, but at this point if the code need to be changed I really cant decide

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arnova @abelbeck @davidmarquesneves