[Server-devel] [XSCE] Re: iptables issue on fedora 21

Tim Moody tim at timmoody.com
Mon Mar 30 15:19:31 EDT 2015 

I think so, but I'd rather have Jerry's opinion.

 

From: xsce-devel at googlegroups.com [mailto:xsce-devel at googlegroups.com] On Behalf Of Anish Mangal
Sent: Monday, March 30, 2015 2:20 PM
To: xsce-devel
Cc: server-devel
Subject: Re: [XSCE] Re: iptables issue on fedora 21

 

So it should be fixed then, right?

 

On Mon, Mar 30, 2015 at 11:39 PM, Tim Moody <tim at timmoody.com <mailto:tim at timmoody.com> > wrote:

sounds right to me.  Here's mine (some commits before the current master)

 

[root at xsce-devel ~]# cat  /usr/lib/systemd/system/iptables.service

[Unit]

Description=IPv4 firewall with iptables

After=syslog.target

ConditionPathExists=/etc/sysconfig/iptables

 

[Service]

Type=oneshot

RemainAfterExit=yes

ExecStart=/usr/libexec/iptables/iptables.init start

ExecStop=/usr/libexec/iptables/iptables.init stop

Environment=BOOTUP=serial

Environment=CONSOLETYPE=serial

StandardOutput=syslog

StandardError=syslog

 

[Install]

WantedBy=basic.target 

 

From: xsce-devel at googlegroups.com <mailto:xsce-devel at googlegroups.com>  [mailto:xsce-devel at googlegroups.com <mailto:xsce-devel at googlegroups.com> ] On Behalf Of Anish Mangal
Sent: Monday, March 30, 2015 2:03 PM
To: xsce-devel
Cc: server-devel
Subject: Re: [XSCE] Re: iptables issue on fedora 21

 

Okay, I just had a chat about this first on #fedora-server and then on #systemd 

They think in iptables.service it should be Before=network.targer instead of After.. changing that works for me (although would need wiser minds to comment on its correctness).

anyway .. IRC log attached below..

<m_anish> Hi, I am facing an issue with systemd/iptables on a fedora 21 setup... asked on #fedora without much luck, so asking here... 
<m_anish> so, iptables is enabled but doesnt start .. relevant journal log --> http://fpaste.org/204855/42773649/
<m_anish> the network is setup such that eth is the WAN and hostapd is running on the wifi functioning as the LAN
<m_anish> firewall is disabled 
<va> who the heck came up with that? iptables does not depend on network.
<m_anish> http://fpaste.org/204842/35817142/
<m_anish> is the actual iptables^^
<m_anish> va, ah! so removing that should fix it then!?
<m_anish> (i didn't edit it myself, but this is a f21 setup, on which ansible does some tweaks etc.)
<grawity> is that iptables.init script a regular Fedora thing?
<va> if anything, iptables ought to have a Before=network{.service,target,whateveR}
<m_anish> grawity, one moment, i can check that (i have a 'regular' f21 machine with me as well)
<m_anish> hmm i don't have iptables installed on my regular machine (wtf) 
<m_anish> va, ok
<m_anish> grawity, i'll install iptables in a clean vm to see what is happening
<m_anish> okay, so hostapd is After=network.target .. i'd wan't iptables to come into play after that I guess
<m_anish> va, this is the iptables.service file --> http://fpaste.org/204870/73779914/ you reckon i should s/After/Before there?
<m_anish> (also see the last comment abt hostapd)
<va> LIke I said. Before=network
<va> you want to have the rules loaded BEFORE all evil can get through your network doors
<m_anish> va, will give it a try .. fwiw, this is probably not standard f21 .. but someone's error https://github.com/XSCE/xsce/blob/8f5f875db10cb181f09a62670601c7da9f6fe37a/roles/network/templates/gateway/iptables.service
<va> it's always _someone's_ error
<m_anish> :)
<m_anish> va, okay, it worked I think! (will test more thoroughly for other stuff)
<m_anish> thx!

 

On Mon, Mar 30, 2015 at 11:28 PM, Tim Moody <tim at timmoody.com <mailto:tim at timmoody.com> > wrote:

looks like a cross dependency between the systemd unit files:

 

iptables depends on network and network depends on iptables.

 

Waiting for Jerry to weigh in.

 

From: xsce-devel at googlegroups.com <mailto:xsce-devel at googlegroups.com>  [mailto:xsce-devel at googlegroups.com <mailto:xsce-devel at googlegroups.com> ] On Behalf Of Anish Mangal
Sent: Monday, March 30, 2015 1:34 PM
To: xsce-devel; server-devel
Subject: [XSCE] Re: iptables issue on fedora 21

 

Some more messages from the journal from around that time suggest some kind of loop

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found ordering cycle on network.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on iptables.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on network.target/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on network.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Breaking ordering cycle by deleting job iptables.service/start

*  Mar 30 22:55:17 schoolserver.lan systemd[1]: Job iptables.service/start deleted to break ordering cycle starting with network.service/start

 

 

On Mon, Mar 30, 2015 at 10:42 PM, Anish Mangal <anishmg at umich.edu <mailto:anishmg at umich.edu> > wrote:

Hi,

So I have an XSCE setup on a NUC originally in appliance mode, and now I am using hostapd for the wifi network to function as lan. After I setup hostapd (config file and enabling the service) I ran ./runansible again, and everything seems to work except iptables, which goes dead. Relevant messages below

[root at schoolserver anish]# journalctl -xb|grep iptables
Mar 30 22:34:22 schoolserver.lan systemd[1]: Found dependency on iptables.service/start
Mar 30 22:34:22 schoolserver.lan systemd[1]: Breaking ordering cycle by deleting job iptables.service/start
Mar 30 22:34:22 schoolserver.lan systemd[1]: Job iptables.service/start deleted to break ordering cycle starting with network.service/start
Mar 30 22:34:21 schoolserver.lan systemd[1]: Configuration file /etc/systemd/system/iptables.service is marked executable. Please remove executable permission bits. Proceeding anyway.

[root at schoolserver anish]# systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/etc/systemd/system/iptables.service; enabled)
   Active: inactive (dead)


/etc/xsce/xsce.ini --> http://fpaste.org/204840/

If I start iptables manually, it works, but not automatically.

Any pointers would be helpful. 

Best,

Anish








-- 

 




-- 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.laptop.org/pipermail/server-devel/attachments/20150330/d7f380bf/attachment.html>

More information about the Server-devel mailing list