Your message dated Fri, 16 Nov 2018 12:43:43 +0100
with message-id <90588225-5cfc-834d-50ce-41b2391e5...@debian.org>
and subject line Re: iptables 1.8.2: ERROR when adding REJECT target to custom
chains
has caused the Debian Bug report #913877,
regarding iptables 1.8.2: ERROR when adding REJECT target to custom chains
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
913877: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913877
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: iptables
Version: 1.8.2-2
Severity: grave
The fail2ban attack prevention software scans log files and adds
firewall rules dynamically to iptables/ip6tables to prevent DoS and
login scanning attacks in realtime.
Since upgrading iptables to the 1.8.2 version it has been completely
unable to do that vital task due to problems within nftables / iptables.
The example that I am facing right now is with active and large DoS
attacks email spam attacks. When fail2ban attempts to add the firewall
blocks, such as;
iptables -w -I f2b-postfix-sasl 1 -s 80.82.70.189 \
-j REJECT --reject-with icmp-port-unreachable
iptables produces an error:
iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument):
rule in chain f2b-postfix-sasl
the system log matching that iptables update attempt states:
x_tables: ip_tables: REJECT target: used from hooks
FORWARD/OUTPUT/POSTROUTING, but only usable from INPUT/FORWARD/OUTPUT
Which appears to be a lie. The f2b-postfix-sasl is a sub-chain of the
INPUT table and is not in any way connected to the FORWARD, OUTPUT nor
POSTROUTING tables.
iptables -L -nv
Chain INPUT (policy ACCEPT 1727M packets, 3523G bytes)
pkts bytes target prot opt in out source
destination
9531 7001K f2b-postfix-sasl tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587,143,993,110,995
9531 7001K f2b-courier-auth tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587,143,993,110,995
8629 6907K f2b-postfix tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587
2994 278K f2b-sshd tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 22
6412K 2086M f2b-postfix-sasl tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587,143,993,110,995
6412K 2086M f2b-courier-auth tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587,143,993,110,995
3053K 829M f2b-postfix tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 25,465,587
11M 663M f2b-sshd tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1230M packets, 132G bytes)
pkts bytes target prot opt in out source
destination
Chain f2b-sshd (2 references)
pkts bytes target prot opt in out source
destination
5988 556K RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain f2b-postfix (2 references)
pkts bytes target prot opt in out source
destination
17258 14M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain f2b-courier-auth (2 references)
pkts bytes target prot opt in out source
destination
19062 14M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain f2b-postfix-sasl (2 references)
pkts bytes target prot opt in out source
destination
19062 14M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
AYJ
--- End Message ---
--- Begin Message ---
Control: tag -1 unreproducible
On Fri, 16 Nov 2018 23:20:02 +1300 Amos Jeffries <squ...@treenet.co.nz>
wrote:
> Followup experiments isolating the custom sub-chain are showing even
> worse behaviour from the new iptables (-nft flavour).
>
> These commands
>
> iptables -N test-foo
> iptables -I test-foo 1 -s 127.0.0.1 -j REJECT
>
> Produces this output:
>
> iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument):
> rule in chain test-foo
>
>
> And this absurd syslog message:
>
> x_tables: ip_tables: REJECT target: used from hooks FORWARD, but only
> usable from INPUT/FORWARD/OUTPUT
>
>
>
Upstream reports that this does work on other systems.
Which kernel are you running? Mine is:
arturo@endurance:~ $ uname -r
4.18.0-2-amd64
This is my local test:
arturo@endurance:~ $ sudo iptables-nft -N test-foo
arturo@endurance:~ $ sudo iptables-nft -I test-foo 1 -s 127.0.0.1 -j REJECT
arturo@endurance:~ $ sudo iptables-nft-save
# Generated by xtables-save v1.8.2 on Fri Nov 16 12:40:51 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:test-foo - [0:0]
-A test-foo -s 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Nov 16 12:40:51 2018
Closing bug now, feel free to reopen if required. Thanks for reporting.
--- End Message ---