IPTABLES and IPSET

Issues Related to Networking (Wired and Wireless)

Moderator: Moderators

User avatar
Lazydog
Simple Hen
Posts: 75
Joined: Sat Sep 15, 2012 3:21

IPTABLES and IPSET

Post by Lazydog » Tue Jan 02, 2018 2:38

So I just re-installed Sabayon after using Gentoo for some time. I cannot figure out how to get IPTABLES to start after install.

Enabling it with the following command doesn't show any errors.

Code: Select all

systemctl enable iptables
When I try to start it I get the following

Code: Select all

iptables # systemctl start iptables
Assertion failed on job for iptables.service.
And looking at the status I see this:

Code: Select all

iptables # systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
   Assert: start assertion failed at Mon 2018-01-01 20:31:36 EST; 6min ago
           AssertPathExists=/etc/sysconfig/iptables was not met

Jan 01 20:25:35 sabayon systemd[1]: iptables.service: Starting requested but asserts failed.
Jan 01 20:25:35 sabayon systemd[1]: Assertion failed for IPv4 firewall with iptables.
Jan 01 20:30:50 sabayon systemd[1]: iptables.service: Starting requested but asserts failed.
Jan 01 20:30:50 sabayon systemd[1]: Assertion failed for IPv4 firewall with iptables.
Jan 01 20:31:36 sabayon systemd[1]: iptables.service: Starting requested but asserts failed.
Jan 01 20:31:36 sabayon systemd[1]: Assertion failed for IPv4 firewall with iptables.
Also I'm trying to get IPSET up and running also but it too doesn't work:

Code: Select all

iptables # systemctl enable ipset
Failed to enable unit: Unit file ipset.service does not exist.
Did Sabyon decide for me that IPTABLES and IPSET are no longer an option? I know I can use firewalld but I don't want to.

Thanks for you help getting this up and running.
--
Regards
Robert


Image

User avatar
sabayonino
Sagely Hen
Posts: 3264
Joined: Sun Sep 21, 2008 1:12
Location: Italy
Contact:

Re: IPTABLES and IPSET

Post by sabayonino » Tue Jan 02, 2018 14:36

iptables is a part of the kernel and it should be enabled by default via firewalld.service

follow systemd services are available (/usr/lib/systemd/system)

Code: Select all

ip6tables-restore.service
ip6tables-store.service
iptables-restore.service
iptables-store.service
[Che Cos'è Il Calcolo Distribuito (BOINC)

BOINC ready ! Sabayon+BOINC = BILD ,my Sabayon spin :cyclops: - Ready to crunch for the Science everywhere :)

User avatar
Lazydog
Simple Hen
Posts: 75
Joined: Sat Sep 15, 2012 3:21

Re: IPTABLES and IPSET

Post by Lazydog » Wed Jan 03, 2018 2:10

sabayonino, thnx for the reply.

So IPTABLES isn't started anymore with systemctl enable iptables now you use systemctl enable iptables-restore.service.

What about ipset? I didn't see anything in /usr/lib/systemd/system for it?
--
Regards
Robert


Image

User avatar
sabayonino
Sagely Hen
Posts: 3264
Joined: Sun Sep 21, 2008 1:12
Location: Italy
Contact:

Re: IPTABLES and IPSET

Post by sabayonino » Wed Jan 03, 2018 12:27

"The restore.service" restore the iptable rules

as I wrote , iptables service is managed by firewalld.service (iptables.service doesnt't exist), so you should run

Code: Select all

# systemctl enable|disable firewalld
to enable/disable the service

and/or

Code: Select all

# systemctl start|stop|restart firewalld
to manage the service
[Che Cos'è Il Calcolo Distribuito (BOINC)

BOINC ready ! Sabayon+BOINC = BILD ,my Sabayon spin :cyclops: - Ready to crunch for the Science everywhere :)

User avatar
Lazydog
Simple Hen
Posts: 75
Joined: Sat Sep 15, 2012 3:21

Re: IPTABLES and IPSET

Post by Lazydog » Thu Jan 04, 2018 2:32

firewalld is not needed to reload the firewall rules. I setup my rules as I wanted and then run;

Code: Select all

systemctl start iptables-store.service
to save my rules and then i run;

Code: Select all

systemctl enable iptables-restore.service
After reboot the firewall rules were applied without issues. So you can use iptables services to start you firewall.

Only thing I haven't figured out yet is how to get ipset working. Got any ideas?

Thanks
--
Regards
Robert


Image

User avatar
sabayonino
Sagely Hen
Posts: 3264
Joined: Sun Sep 21, 2008 1:12
Location: Italy
Contact:

Re: IPTABLES and IPSET

Post by sabayonino » Thu Jan 04, 2018 12:45

ipset is provided by
net-firewall/ipset
package

its binaries is stored in

Code: Select all

# which ipset
/usr/sbin/ipset
only for root
[Che Cos'è Il Calcolo Distribuito (BOINC)

BOINC ready ! Sabayon+BOINC = BILD ,my Sabayon spin :cyclops: - Ready to crunch for the Science everywhere :)

User avatar
Lazydog
Simple Hen
Posts: 75
Joined: Sat Sep 15, 2012 3:21

Re: IPTABLES and IPSET

Post by Lazydog » Sat Jan 06, 2018 3:13

Yes, it is at that location but I need it to start on boot so I can configure my firewall to use it. If it is not start it doesn't load the DB thus it is useless. There are no service files for it.
--
Regards
Robert


Image

User avatar
sabayonino
Sagely Hen
Posts: 3264
Joined: Sun Sep 21, 2008 1:12
Location: Italy
Contact:

Re: IPTABLES and IPSET

Post by sabayonino » Sat Jan 06, 2018 9:41

[Che Cos'è Il Calcolo Distribuito (BOINC)

BOINC ready ! Sabayon+BOINC = BILD ,my Sabayon spin :cyclops: - Ready to crunch for the Science everywhere :)

User avatar
Lazydog
Simple Hen
Posts: 75
Joined: Sat Sep 15, 2012 3:21

Re: IPTABLES and IPSET

Post by Lazydog » Sat Jan 06, 2018 17:29

THANKS!! This is what I was looking for. But it doesn't work as expected.

Code: Select all

etc # systemctl status ipset
● ipset.service - IP sets for iptables
   Loaded: loaded (/usr/lib/systemd/system/ipset.service; enabled; vendor preset: disabled)
   Active: active (exited) since Sat 2018-01-06 11:30:39 EST; 11min ago
  Process: 4881 ExecStop=/usr/libexec/ipset/ipset.start-stop stop (code=exited, status=0/SUCCESS)
  Process: 4923 ExecStart=/usr/libexec/ipset/ipset.start-stop start (code=exited, status=0/SUCCESS)
 Main PID: 4923 (code=exited, status=0/SUCCESS)

Jan 06 11:30:39 sabayon systemd[1]: Starting IP sets for iptables...
Jan 06 11:30:39 sabayon ipset.start-stop[4923]: Loaded with no configuration
Jan 06 11:30:39 sabayon systemd[1]: Started IP sets for iptables.



etc # ipset help
ipset v6.32

Usage: ipset [options] COMMAND

Commands:
create SETNAME TYPENAME [type-specific-options]
        Create a new set

etc # ipset create Block-Indefinite-4 hash:ip hashsize 4096
ipset v6.32: Kernel error received: Invalid argument
Need to dig deeper it looks like.
--
Regards
Robert


Image

User avatar
Lazydog
Simple Hen
Posts: 75
Joined: Sat Sep 15, 2012 3:21

Re: IPTABLES and IPSET

Post by Lazydog » Sat Jan 13, 2018 15:28

Still nothing. Anyone have an idea?
--
Regards
Robert


Image

Post Reply