<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Mangal;
panose-1:2 4 5 3 5 2 3 3 2 2;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>sounds right to me. Here's mine (some commits before the current master)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>[root@xsce-devel ~]# cat /usr/lib/systemd/system/iptables.service<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>[Unit]<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Description=IPv4 firewall with iptables<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>After=syslog.target<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>ConditionPathExists=/etc/sysconfig/iptables<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>[Service]<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Type=oneshot<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>RemainAfterExit=yes<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>ExecStart=/usr/libexec/iptables/iptables.init start<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>ExecStop=/usr/libexec/iptables/iptables.init stop<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Environment=BOOTUP=serial<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Environment=CONSOLETYPE=serial<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>StandardOutput=syslog<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>StandardError=syslog<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>[Install]<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>WantedBy=basic.target</span><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> <o:p></o:p></span></b></p><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'><o:p> </o:p></span></b></p><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> xsce-devel@googlegroups.com [mailto:xsce-devel@googlegroups.com] <b>On Behalf Of </b>Anish Mangal<br><b>Sent:</b> Monday, March 30, 2015 2:03 PM<br><b>To:</b> xsce-devel<br><b>Cc:</b> server-devel<br><b>Subject:</b> Re: [XSCE] Re: iptables issue on fedora 21<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><div><div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'>Okay, I just had a chat about this first on #fedora-server and then on #systemd <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'>They think in iptables.service it should be Before=network.targer instead of After.. changing that works for me (although would need wiser minds to comment on its correctness).<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'>anyway .. IRC log attached below..<br><br><m_anish> Hi, I am facing an issue with systemd/iptables on a fedora 21 setup... asked on #fedora without much luck, so asking here... <br><m_anish> so, iptables is enabled but doesnt start .. relevant journal log --> <a href="http://fpaste.org/204855/42773649/">http://fpaste.org/204855/42773649/</a><br><m_anish> the network is setup such that eth is the WAN and hostapd is running on the wifi functioning as the LAN<br><m_anish> firewall is disabled <br><va> who the heck came up with that? iptables does not depend on network.<br><m_anish> <a href="http://fpaste.org/204842/35817142/">http://fpaste.org/204842/35817142/</a><br><m_anish> is the actual iptables^^<br><m_anish> va, ah! so removing that should fix it then!?<br><m_anish> (i didn't edit it myself, but this is a f21 setup, on which ansible does some tweaks etc.)<br><grawity> is that iptables.init script a regular Fedora thing?<br><va> if anything, iptables ought to have a Before=network{.service,target,whateveR}<br><m_anish> grawity, one moment, i can check that (i have a 'regular' f21 machine with me as well)<br><m_anish> hmm i don't have iptables installed on my regular machine (wtf) <br><m_anish> va, ok<br><m_anish> grawity, i'll install iptables in a clean vm to see what is happening<br><m_anish> okay, so hostapd is After=network.target .. i'd wan't iptables to come into play after that I guess<br><m_anish> va, this is the iptables.service file --> <a href="http://fpaste.org/204870/73779914/">http://fpaste.org/204870/73779914/</a> you reckon i should s/After/Before there?<br><m_anish> (also see the last comment abt hostapd)<br><va> LIke I said. Before=network<br><va> you want to have the rules loaded BEFORE all evil can get through your network doors<br><m_anish> va, will give it a try .. fwiw, this is probably not standard f21 .. but someone's error <a href="https://github.com/XSCE/xsce/blob/8f5f875db10cb181f09a62670601c7da9f6fe37a/roles/network/templates/gateway/iptables.service">https://github.com/XSCE/xsce/blob/8f5f875db10cb181f09a62670601c7da9f6fe37a/roles/network/templates/gateway/iptables.service</a><br><va> it's always _someone's_ error<br><m_anish> :)<br><m_anish> va, okay, it worked I think! (will test more thoroughly for other stuff)<br><m_anish> thx!<br><br><o:p></o:p></p><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:.5in'>On Mon, Mar 30, 2015 at 11:28 PM, Tim Moody <<a href="mailto:tim@timmoody.com" target="_blank">tim@timmoody.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>looks like a cross dependency between the systemd unit files:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>iptables depends on network and network depends on iptables.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'>Waiting for Jerry to weigh in.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in'><span style='font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in'><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'> <a href="mailto:xsce-devel@googlegroups.com" target="_blank">xsce-devel@googlegroups.com</a> [mailto:<a href="mailto:xsce-devel@googlegroups.com" target="_blank">xsce-devel@googlegroups.com</a>] <b>On Behalf Of </b>Anish Mangal<br><b>Sent:</b> Monday, March 30, 2015 1:34 PM<br><b>To:</b> xsce-devel; server-devel<br><b>Subject:</b> [XSCE] Re: iptables issue on fedora 21</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:1.0in'>Some more messages from the journal from around that time suggest some kind of loop<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;line-height:14.4pt;vertical-align:top'><span style='font-family:Symbol'>·</span> <span style='font-family:"Courier New"'>Mar 30 22:55:17 schoolserver.lan systemd[1]: Found ordering cycle on network.service/start</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;line-height:14.4pt;vertical-align:top'><span style='font-family:Symbol'>·</span> <span style='font-family:"Courier New"'>Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on iptables.service/start</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;line-height:14.4pt;vertical-align:top'><span style='font-family:Symbol'>·</span> <span style='font-family:"Courier New"'>Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on network.target/start</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;line-height:14.4pt;vertical-align:top'><span style='font-family:Symbol'>·</span> <span style='font-family:"Courier New"'>Mar 30 22:55:17 schoolserver.lan systemd[1]: Found dependency on network.service/start</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;line-height:14.4pt;vertical-align:top'><span style='font-family:Symbol'>·</span> <span style='font-family:"Courier New"'>Mar 30 22:55:17 schoolserver.lan systemd[1]: Breaking ordering cycle by deleting job iptables.service/start</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;line-height:14.4pt;vertical-align:top'><span style='font-family:Symbol'>·</span> <span style='font-family:"Courier New"'>Mar 30 22:55:17 schoolserver.lan systemd[1]: Job iptables.service/start deleted to break ordering cycle starting with network.service/start</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in'>On Mon, Mar 30, 2015 at 10:42 PM, Anish Mangal <<a href="mailto:anishmg@umich.edu" target="_blank">anishmg@umich.edu</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><div><div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:1.0in'>Hi,<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in'>So I have an XSCE setup on a NUC originally in appliance mode, and now I am using hostapd for the wifi network to function as lan. After I setup hostapd (config file and enabling the service) I ran ./runansible again, and everything seems to work except iptables, which goes dead. Relevant messages below<br><br>[root@schoolserver anish]# journalctl -xb|grep iptables<br>Mar 30 22:34:22 schoolserver.lan systemd[1]: Found dependency on iptables.service/start<br>Mar 30 22:34:22 schoolserver.lan systemd[1]: Breaking ordering cycle by deleting job iptables.service/start<br>Mar 30 22:34:22 schoolserver.lan systemd[1]: Job iptables.service/start deleted to break ordering cycle starting with network.service/start<br>Mar 30 22:34:21 schoolserver.lan systemd[1]: Configuration file /etc/systemd/system/iptables.service is marked executable. Please remove executable permission bits. Proceeding anyway.<br><br>[root@schoolserver anish]# systemctl status iptables.service<br>● iptables.service - IPv4 firewall with iptables<br> Loaded: loaded (/etc/systemd/system/iptables.service; enabled)<br> Active: inactive (dead)<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:1.0in'><br>/etc/xsce/xsce.ini --> <a href="http://fpaste.org/204840/" target="_blank">http://fpaste.org/204840/</a><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:1.0in'>If I start iptables manually, it works, but not automatically.<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:1.0in'>Any pointers would be helpful. <o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in'>Best,<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:1.0in'>Anish<o:p></o:p></p></div></blockquote></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt;margin-left:1.0in'><br><br clear=all><o:p></o:p></p></div></div></div></div></div></div></blockquote></div><p class=MsoNormal style='margin-left:.5in'><br><br clear=all><br>-- <o:p></o:p></p><div><div><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div></div></div></div></div></body></html>