0003910: iptables-persistent does not apply firewall rules on boot - Kali Linux Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0003910	Kali Linux	Kali Package Bug	public	2017-03-07 10:22	2018-02-21 09:42

Reporter	edermi	Assigned To
Priority	high	Severity	minor	Reproducibility	always
Status	closed	Resolution	open
Product Version	2016.2

Summary	0003910: iptables-persistent does not apply firewall rules on boot
Description	iptables-persistent does not load the saved firewall rules on boot. There is no systemd service for manually enabling this behavior, only the legacy way by running "update-rc.d netfilter-persistent enable". It is usual that installing iptables-persistent already enables the service and loads the rules.
Steps To Reproduce	Install iptables-persistent When asked, save firewall rules. 2a. If the rules were empty, edit them in /etc/iptables/rules.v4 (just to see if they are applied). I'm using *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT COMMIT as example here. 2b. Load the rules via "iptables-restore < /etc/iptables/rules.v4" iptables -L should show the rules reboot iptables -L Expected outcome: After 5.), the output should be the same as after 3.) if the ruels were loaded successfully Actual outcome: The list is empty and the firewall has its default settings (allow everything) enabled Workaround: update-rc.d netfilter-persistent enable Additionally I'd like to note that users may already rely on the correct behavior, so this is possibly also a security issue.
Additional Information	dpkg --status iptables-persistent Package: iptables-persistent Status: install ok installed Priority: optional Section: admin Installed-Size: 42 Maintainer: Jonathan Wiltshire <[email protected]> Architecture: all Version: 1.0.4+nmu1 Depends: netfilter-persistent (= 1.0.4+nmu1), iptables, debconf (>= 0.5) \| debconf-2.0 Description: boot-time loader for netfilter rules, iptables plugin netfilter-persistent is a loader for netfilter configuration using a plugin-based architecture. . This package contains the iptables and ip6tables plugins.

Senni 2017-05-09 22:50 reporter ~0006651	Isn't it expected behaviour? Once installed you have to call enable, once done rebooting will load the rules. systemctl enable netfilter-persistent.service systemctl start netfilter-persistent.service Looking at the deb, I think its not intended to auto enable the service but rather just place the systemd service, although I am quite new to .deb's so could be wrong! The post scripts seem to call the below which suggests the intention is to not start the service post install: update-rc.d iptables-persistent remove

g0tmi1k 2018-02-21 09:42 administrator ~0008750	Due to the age of the OS (Kali Moto [v1], Kali Safi [v2], Kali Rolling 2016.x/2017.1), these legacy versions are no longer supported. We will be closing this ticket due to inactivity. Please could you see if you are able to replicate this issue with the latest version of Kali Linux - https://www.kali.org/downloads/)? If you are still facing the same problem, feel free to re-open the ticket. If you choose to do this, could you provide more information to the issue you are facing,and also give information about your setup? For more information, please read: https://kali.training/topic/filing-a-good-bug-report/

Date Modified	Username	Field	Change
2017-03-07 10:22	edermi	New Issue
2017-05-09 22:50	Senni	Note Added: 0006651
2018-02-21 09:42	g0tmi1k	Note Added: 0008750
2018-02-21 09:42	g0tmi1k	Status	new => closed