sounds right to me. Here's mine (some commits before the current master)
[root@xsce-devel ~]# cat /usr/lib/systemd/system/iptables.service [Unit] Description=IPv4 firewall with iptables After=syslog.target ConditionPathExists=/etc/sysconfig/iptables [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/libexec/iptables/iptables.init start ExecStop=/usr/libexec/iptables/iptables.init stop Environment=BOOTUP=serial Environment=CONSOLETYPE=serial StandardOutput=syslog StandardError=syslog [Install] WantedBy=basic.target From: xsce-de...@googlegroups.com [mailto:xsce-de...@googlegroups.com] On Behalf Of Anish Mangal Sent: Monday, March 30, 2015 2:03 PM To: xsce-devel Cc: server-devel Subject: Re: [XSCE] Re: iptables issue on fedora 21 Okay, I just had a chat about this first on #fedora-server and then on #systemd They think in iptables.service it should be Before=network.targer instead of After.. changing that works for me (although would need wiser minds to comment on its correctness). anyway .. IRC log attached below.. <m_anish> Hi, I am facing an issue with systemd/iptables on a fedora 21 setup... asked on #fedora without much luck, so asking here... <m_anish> so, iptables is enabled but doesnt start .. relevant journal log --> http://fpaste.org/204855/42773649/ <m_anish> the network is setup such that eth is the WAN and hostapd is running on the wifi functioning as the LAN <m_anish> firewall is disabled <va> who the heck came up with that? iptables does not depend on network. <m_anish> http://fpaste.org/204842/35817142/ <m_anish> is the actual iptables^^ <m_anish> va, ah! so removing that should fix it then!? <m_anish> (i didn't edit it myself, but this is a f21 setup, on which ansible does some tweaks etc.) <grawity> is that iptables.init script a regular Fedora thing? <va> if anything, iptables ought to have a Before=network{.service,target,whateveR} <m_anish> grawity, one moment, i can check that (i have a 'regular' f21 machine with me as well) <m_anish> hmm i don't have iptables installed on my regular machine (wtf) <m_anish> va, ok <m_anish> grawity, i'll install iptables in a clean vm to see what is happening <m_anish> okay, so hostapd is After=network.target .. i'd wan't iptables to come into play after that I guess <m_anish> va, this is the iptables.service file --> http://fpaste.org/204870/73779914/ you reckon i should s/After/Before there? <m_anish> (also see the last comment abt hostapd) <va> LIke I said. Before=network <va> you want to have the rules loaded BEFORE all evil can get through your network doors <m_anish> va, will give it a try .. fwiw, this is probably not standard f21 .. but someone's error https://github.com/XSCE/xsce/blob/8f5f875db10cb181f09a62670601c7da9f6fe37a/roles/network/templates/gateway/iptables.service <va> it's always _someone's_ error <m_anish> :) <m_anish> va, okay, it worked I think! (will test more thoroughly for other stuff) <m_anish> thx! On Mon, Mar 30, 2015 at 11:28 PM, Tim Moody <t...@timmoody.com <mailto:t...@timmoody.com> > wrote: looks like a cross dependency between the systemd unit files: iptables depends on network and network depends on iptables. Waiting for Jerry to weigh in. From: xsce-de...@googlegroups.com <mailto:xsce-de...@googlegroups.com> [mailto:xsce-de...@googlegroups.com <mailto:xsce-de...@googlegroups.com> ] On Behalf Of Anish Mangal Sent: Monday, March 30, 2015 1:34 PM To: xsce-devel; server-devel Subject: [XSCE] Re: iptables issue on fedora 21 Some more messages from the journal from around that time suggest some kind of loop * Mar 30 22:55:17 schoolserver.lan systemd[1]: Found ordering cycle on network.service/start * Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on iptables.service/start * Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on network.target/start * Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on network.service/start * Mar 30 22:55:17 schoolserver.lan systemd[1]: Breaking ordering cycle by deleting job iptables.service/start * Mar 30 22:55:17 schoolserver.lan systemd[1]: Job iptables.service/start deleted to break ordering cycle starting with network.service/start On Mon, Mar 30, 2015 at 10:42 PM, Anish Mangal <anis...@umich.edu <mailto:anis...@umich.edu> > wrote: Hi, So I have an XSCE setup on a NUC originally in appliance mode, and now I am using hostapd for the wifi network to function as lan. After I setup hostapd (config file and enabling the service) I ran ./runansible again, and everything seems to work except iptables, which goes dead. Relevant messages below [root@schoolserver anish]# journalctl -xb|grep iptables Mar 30 22:34:22 schoolserver.lan systemd[1]: Found dependency on iptables.service/start Mar 30 22:34:22 schoolserver.lan systemd[1]: Breaking ordering cycle by deleting job iptables.service/start Mar 30 22:34:22 schoolserver.lan systemd[1]: Job iptables.service/start deleted to break ordering cycle starting with network.service/start Mar 30 22:34:21 schoolserver.lan systemd[1]: Configuration file /etc/systemd/system/iptables.service is marked executable. Please remove executable permission bits. Proceeding anyway. [root@schoolserver anish]# systemctl status iptables.service ● iptables.service - IPv4 firewall with iptables Loaded: loaded (/etc/systemd/system/iptables.service; enabled) Active: inactive (dead) /etc/xsce/xsce.ini --> http://fpaste.org/204840/ If I start iptables manually, it works, but not automatically. Any pointers would be helpful. Best, Anish --
_______________________________________________ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel