• XSS.stack #1 – первый литературный журнал от юзеров форума

Сервер на Debian сохранение iptables после reboot

Отслеживать
qvp сказал(а):
[Unit]
After=docker.service
Requires=docker.service Это команды в терминале тоже?
It's just so that it waits until Docker is up, guaranteeing the DOCKER-USER chain is available before restoring your rules.

Yes, just create an override file
sudo systemctl edit netfilter-persistent
then add
[Unit]
After=docker.service
Requires=docker.service
 
shrekushka сказал(а):
It's just so that it waits until Docker is up, guaranteeing the DOCKER-USER chain is available before restoring your rules.

Yes, just create an override file

then add
/usr/local/sbin/firewall.sh:
Bash:
#!/bin/bash
# CHAIN exists?
sudo iptables -N CHAIN 2>/dev/null || true

# DOCKER-USER jump to CHAIN
sudo iptables -C DOCKER-USER -j CHAIN 2>/dev/null || \
sudo iptables -I DOCKER-USER -j CHAIN

# CHAIN drops packets from myset
sudo iptables -C CHAIN -m set --match-set myset src -j DROP 2>/dev/null || \
sudo iptables -A CHAIN -m set --match-set myset src -j DROP
Так сделать?
 
qvp сказал(а):
/usr/local/sbin/firewall.sh:
Bash:
#!/bin/bash
# CHAIN exists?
sudo iptables -N CHAIN 2>/dev/null || true

# DOCKER-USER jump to CHAIN
sudo iptables -C DOCKER-USER -j CHAIN 2>/dev/null || \
sudo iptables -I DOCKER-USER -j CHAIN

# CHAIN drops packets from myset
sudo iptables -C CHAIN -m set --match-set myset src -j DROP 2>/dev/null || \
sudo iptables -A CHAIN -m set --match-set myset src -j DROP
Так сделать?
ipset 'myset' is prepared right?





qvp сказал(а):
Потом
/etc/systemd/system/firewall.service
[Unit]
After=docker.service
Requires=docker.service
И активировать?
sudo systemctl daemon-reload
sudo systemctl enable firewall.service
No, please don't do that. The technique you are mentioning is valid and goes something like this:
/etc/systemd/system/firewall.service with
[Unit]
Description=dockr iptables ruless
After=docker.service
Requires=docker.service

[Service]
Type=oneshot
ExecStart=/usr/local/sbin/firewall.sh
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
then
sudo systemctl daemon-reload
sudo systemctl enable firewall.service
sudo systemctl start firewall.service






Instead, I recommend creating an override file:
sudo systemctl edit netfilter-persistent
then add
[Unit]
After=docker.service
Requires=docker.service

29.jpg
 
shrekushka сказал(а):
ipset 'myset' is prepared right?






No, please don't do that. The technique you are mentioning is valid and goes something like this:
/etc/systemd/system/firewall.service with

then







Instead, I recommend creating an override file:

then add


Посмотреть вложение 103582
sudo systemctl edit netfilter-persistent
No files found for netfilter-persistent.service.
Run 'systemctl edit --force --full netfilter-persistent.service' to create a new unit.
 
root@internet:~# nano /usr/local/sbin/firewall.sh
root@internet:~# nano /etc/systemd/system/firewall.service
root@internet:~# sudo systemctl daemon-reload
root@internet:~# sudo systemctl enable firewall.service
Created symlink /etc/systemd/system/multi-user.target.wants/firewall.service → /etc/systemd/system/firewall.service.
root@internet:~# sudo systemctl start firewall.service
Job for firewall.service failed because the control process exited with error code.
See "systemctl status firewall.service" and "journalctl -xeu firewall.service" for details.
root@internet:~# sudo systemctl edit netfilter-persistent
No files found for netfilter-persistent.service.
Run 'systemctl edit --force --full netfilter-persistent.service' to create a new unit.
root@internet:~# sudo systemctl edit netfilter-persistent
No files found for netfilter-persistent.service.
Run 'systemctl edit --force --full netfilter-persistent.service' to create a new unit.
 
qvp сказал(а):
sudo systemctl edit netfilter-persistent
No files found for netfilter-persistent.service.
Run 'systemctl edit --force --full netfilter-persistent.service' to create a new unit.
--force --full is more than you need but it will work. Just create a minimal ovverride .conf inside /etc/systemd/system/netfilter-persistent.service.d (much cleaner)
then sudo systemctl daemon-reload


sudo mkdir -p /etc/systemd/system/netfilter-persistent.service.d
sudo vi /etc/systemd/system/netfilter-persistent.service.d/override.conf

Put only:
[Unit]
After=docker.service
Requires=docker.service

sudo systemctl daemon-reload






I recommend you to briefly review https://www.linode.com/docs/guides/introduction-to-systemctl/
It'd provide greater clarity than experimenting with commands blindly.)




qvp сказал(а):
Job for firewall.service failed because the control process exited with error code.
Gotta be something in your script. shebang? chmod +x? "myset"? something else?
 
Ни чего не выходит, после перезагрузки таблицы нет. Давайте сначала, вот так я создал таблицу
sudo iptables -N CUSTOM-DOCKER
sudo iptables -I DOCKER-USER -j CUSTOM-DOCKER
apt install ipset
sudo apt-get install iptables
ipset -N myset nethash
iptables -A CUSTOM-DOCKER -m set --match-set myset src -j DROP
Теперь пожалуста дайте коды, которые я должен сделать, не в разброс, а полностью как вы бы это сделали
 
sudo apt install iptables-persistent ipset-persistent
This will setup 2 services: netfilter-persistent (load/save iptables) + ipset-persistent (load/save ipsets)

IP set "myset" will hold ips/subnets for blocking.
Create in memory:
sudo ipset create myset nethash
sudo ipset add myset 111.222.33.4
sudo ipset add myset 1.2.3.0/24

sudo ipset save > /etc/ipset.conf
ipset-persistent will autoload this file on reboot (recreating myset).


Crreate custom chain:
sudo iptables -N CHAIN
if already exists: error.

Insert our chain into DOCKER-USER chain:
sudo iptables -I DOCKER-USER -j CHAIN
any inbound traffic to containers goes through CHAIN.

Drop traffic from myset in CHAIN:
sudo iptables -A CHAIN -m set --match-set myset src -j DROP

sudo iptables-save > /etc/iptables/rules.v4
By default: iptables-persistent loads this file on reboot.


30.jpg


Docker creates the DOCKER-USER chain when it starts. Sometimes netfilter-persistent might run before Docker on boot. So we override netfilter-persistent so it starts after Docker:
sudo mkdir -p /etc/systemd/system/netfilter-persistent.service.d
sudo vi /etc/systemd/system/netfilter-persistent.service.d/override.conf

Place the following in override.conf:
[Unit]
After=docker.service
Requires=docker.service

Reload systemd
sudo systemctl daemon-reload

Usually it's enabled by default but you can always:
sudo systemctl enable netfilter-persistent



When you reboot: Docker starts, creates DOCKER-USER, netfilter-persistent (from iptables-persistent) will then load /etc/ipset.conf (rebuilding myset) + /etc/iptables/rules.v4 (rebuilding CHAIN chain + DOCKER-USER jump).



On reboot, you can check:
sudo ipset list myset
sudo iptables -L CHAIN -n -v
31.jpg
 
Is it iptables-persistent instead of netfilter-persistent?
Try it. If not, manually mkdir.
 
qvp, copy my entire text into an LLM whatever alongside your troubles, something worthwhile should definitely come out of it because of a significantly faster + convenient + patient feedback loop.
shrekushka сказал(а):
This will setup 2 services: netfilter-persistent (load/save iptables) + ipset-persistent (load/save ipsets)

IP set "myset" will hold ips/subnets for blocking.
Create in memory:




ipset-persistent will autoload this file on reboot (recreating myset).


Crreate custom chain:

if already exists: error.

Insert our chain into DOCKER-USER chain:

any inbound traffic to containers goes through CHAIN.

Drop traffic from myset in CHAIN:



By default: iptables-persistent loads this file on reboot.


Посмотреть вложение 103583

Docker creates the DOCKER-USER chain when it starts. Sometimes netfilter-persistent might run before Docker on boot. So we override netfilter-persistent so it starts after Docker:


Place the following in override.conf:


Reload systemd


Usually it's enabled by default but you can always:




When you reboot: Docker starts, creates DOCKER-USER, netfilter-persistent (from iptables-persistent) will then load /etc/ipset.conf (rebuilding myset) + /etc/iptables/rules.v4 (rebuilding CHAIN chain + DOCKER-USER jump).



On reboot, you can check:

Посмотреть вложение 103584


qvp, deb11 might be using nf_tables (the "nft backend"). Confirm it first before wasting anymore time.
Docker tends to prefer legacy iptables backend, so you'd need to make a switch. But confirm first, before anything.


Staying on "nft" but keep rules: in principle, it’s the same instructions, but because Docker + nft can be finicky, you might still see issues if Docker tries to manipulate the iptables-legacy or whatever.


It's painfully inconvenient through these forum threads.
 
sudo iptables -N CUSTOM-DOCKER
sudo iptables -I DOCKER-USER -j CUSTOM-DOCKER
apt install ipset
sudo apt-get install iptables
ipset -N myset nethash
iptables -A CUSTOM-DOCKER -m set --match-set myset src -j DROP
Повторяюсь, это все работает, в таблицу myset я вношу IP, которые я блокирую. Мнк нужно что бы это все работало после перезагрузки сервера
 
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх