John Crisp wrote on 26/03/18 19:37:
I am booting Devuan ASCII on a VM.I have had some issues with getting an IP address for the VM on boot. I had previously been loading iptables like this: /etc/network/interfaces # The primary network interface allow-hotplug eth0 iface eth0 inet dhcp post-up iptables-restore < /etc/iptables.up.rules Two questions. Is it better like this or should I use iptables-persistent ?
I would suggest that this approach has the advantage of raising the firewall immediately with bringing up the interface. When using iptables-persistent, it would be brought up with a delay and after IP assignment, which leaves a small temporal window of no firewall. On the other hand, that window is only of concern when the system has some early (earlier) staring services that needs intrusion protection. So in most cases it's of no difference.
Secondly it appears that iptables are getting loaded before the dhclient transaction has completed and the interface then does not get the IP information from the upstream server. Any suggestions on a table rule to allow this ? The system hangs at: Configuring network interfaces...ifup: waiting for lock on /run/network/ifstate.eth0 I have some table rules like this which I thought would allow the transaction to continue but that doesn't seem to work: *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :LOGGING - [0:0] -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -m state --state RELATED -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT # Allow DHCP -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT As I only have a single web based terminal to work from on boot I can't run a tcpdump to see what is happening with packets !! Any suggestions appreciated.
I think you'll also need the "-A INPUT -i lo -j ACCEPT" rule, and possibly you should allow some/all icmp packets as well.
Ralph. _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
