|
|
Same here!
ERROR: problem running ufw-init
iptables-restore: COMMIT expected at line 21
iptables-restore: COMMIT expected at line 19
iptables-restore: line 2 failed
Problem running '/etc/ufw/user.rules'
I actually removed and purged both ufw and iptables because of this bug. |
|
|
|
RoseDeSable
You can enable ufw and you will see this bug. Logging not working at all which maybe the issue I'm not yet sure and I would be happy to hear from the maintainers who merged this from the upstream. Do anyone test packages before sending out in kali-rolling? This is a major bug and it should be marked as CRITICAL! |
|
|
|
hacktivist
Last week ufw was upgraded to 0.36-1. It was running without any error. First after the upgrade of some other packages yesterday, the problem occurs. Therefore I believe, that kali has problems with different levels of software in the case, when a product especially depends on another product. |
|
|
|
Is not ufw which has problems because "last week" worked even yesterday. Far as I see this is a bug of IPTABLES
https://pkg.kali.org/news/393439/iptables-184-2-imported-into-kali-rolling/
UFW works correctly but can't commit to iptables.
You can check using < iptables -S > that your rules are not passed by ufw.
I have tried to install the older version of iptables from kali-rolling but according to apt-cache policy iptables only version 1.8.4-2 is available. On debian https://tracker.debian.org/news/1100518/iptables-184-2-migrated-to-testing/ you can see that the current version of iptables is in fact under testing! |
|
|
|
Indeed,
you strike home:
||/ Name Version Architektur Beschreibung
+++-==============-============-============-=================================================
ii iptables 1.8.3-2 <== the system without the failure
ii iptables 1.8.4-2 <== the system with the failure
If I call "ipatbles -S " on 1.8.4-2, then I only receive
iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
I see no tables.
I'm glad to have created a second kali on an usb-ssd: This is my trying / backup / destroy system, where I make upgrades. Firstly If I have no errors, then I upgrade my main system on the laptop. One the week I synchronise the usb-system with my main system: I boot kali-live on my laptop and let run my bash, which use rsync. So I can do my work without interruption. |
|
|
|
No matter what you do. This is a big bug affecting everyone seriously. |
|
|
|
This is likely this Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=951102
and this one too: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949739
And reported upstream here: https://bugzilla.netfilter.org/show_bug.cgi?id=1400
I'll downgrade iptables in kali-rolling for now. |
|
|
|
The following packages have unmet dependencies:
iptables : Depends: libip4tc2 (= 1.8.3-2) but 1.8.4-2 is to be installed
Depends: libip6tc2 (= 1.8.3-2) but 1.8.4-2 is to be installed
Depends: libiptc0 (= 1.8.3-2) but 1.8.4-2 is to be installed
Depends: libxtables12 (= 1.8.3-2) but 1.8.4-2 is to be installed
Recommends: nftables but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
This is a big problem.
apt autoremove --purge libip4tc2 libip6tc2 libiptc0 libxtables12
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
initscripts insserv startpar sysv-rc
Suggested packages:
bootchart2
The following packages will be REMOVED:
accountsservice apg appstream apt-config-icons atom bleachbit bolt chrome-gnome-shell colord colord-data dbus-user-session default-mysql-server desktop-file-utils dkms dnsmasq-base easy-rsa eject
ettercap-graphical exfat-fuse exfat-utils fonts-firacode fwupd fwupd-amd64-signed galera-3 gdm3 gir1.2-accountsservice-1.0 gir1.2-evince-3.0 gir1.2-gck-1 gir1.2-gcr-3 gir1.2-gdm-1.0 gir1.2-geoclue-2.0
gir1.2-gmenu-3.0 gir1.2-gnomebluetooth-1.0 gir1.2-gweather-3.0 gir1.2-handy-0.0 gir1.2-ibus-1.0 gir1.2-mutter-5 gir1.2-nm-1.0 gir1.2-nma-1.0 gir1.2-packagekitglib-1.0 gir1.2-polkit-1.0 gir1.2-upowerglib-1.0
gnome-control-center gnome-control-center-data gnome-core gnome-disk-utility gnome-session gnome-session-bin gnome-session-common gnome-settings-daemon gnome-settings-daemon-common gnome-shell gnome-shell-common
gnome-shell-extension-dashtodock gnome-shell-extension-desktop-icons gnome-shell-extension-easyscreencast gnome-shell-extension-proxyswitcher gnome-shell-extension-workspaces-to-dock gnome-shell-extensions
gnome-software gnome-software-common gnome-sushi gnome-tweak-tool gnome-tweaks gparted gparted-common gstreamer1.0-packagekit gvfs gvfs-backends gvfs-bin gvfs-common gvfs-daemons gvfs-fuse gvfs-libs ibus
ibus-data ibus-gtk ibus-gtk3 ifenslave ifupdown im-config init iproute2 isc-dhcp-client kali-desktop-core kali-desktop-gnome kali-grant-root kali-linux-core kali-menu kali-themes libaccountsservice0
libappstream-glib8 libappstream4 libatasmart4 libayatana-appindicator3-1 libayatana-indicator3-7 libblockdev-crypto2 libblockdev-fs2 libblockdev-loop2 libblockdev-part-err2 libblockdev-part2 libblockdev-swap2
libblockdev-utils2 libblockdev2 libcolord-gtk1 libcolorhug2 libconfig-inifiles-perl libdbd-mysql-perl libdbi-perl libdbusmenu-gtk3-4 libdns-export1107 libfwupd2 libfwupdplugin1 libgcab-1.0-0 libgdm1
libgnome-autoar-0-0 libgnome-menu-3-0 libgsoap-2.8.91 libgusb2 libhtml-template-perl libibus-1.0-5 libip4tc2 libip6tc2 libiptc0 libisc-export1104 libjudydebian1 libmusicbrainz5-2 libmusicbrainz5cc2v5
libmutter-5-0 libndp0 libnma0 libnss-myhostname libnss-systemd libpackagekit-glib2-18 libpam-systemd libparted-fs-resize0 libpipewire-0.2-1 libpkcs11-helper1 libplymouth4 libpolkit-agent-1-0
libpulse-mainloop-glib0 librygel-core-2.6-2 librygel-db-2.6-2 librygel-renderer-2.6-2 librygel-server-2.6-2 libsmbios-c2 libteamdctl0 libterm-readkey-perl libtss2-esys0 libvncserver1 libvolume-key1 libxcb-res0
libxmlb1 libxtables12 mariadb-client-10.3 mariadb-client-core-10.3 mariadb-server-10.3 mariadb-server-core-10.3 miredo mobile-broadband-provider-info mousetweaks mutter mutter-common nautilus nautilus-data
network-manager network-manager-gnome network-manager-openvpn network-manager-openvpn-gnome numad opensc opensc-pkcs11 openvpn packagekit packagekit-tools plymouth plymouth-label policykit-1 ppp
python3-distro-info python3-ibus-1.0 python3-software-properties qt5-gtk2-platformtheme qt5-style-plugin-cleanlooks qt5-style-plugin-motif qt5-style-plugin-plastique qt5-style-plugins realmd rsync rtkit rygel
software-properties-common software-properties-gtk switcheroo-control systemd systemd-sysv tpm-udev udisks2 unattended-upgrades virtualbox virtualbox-dkms virtualbox-ext-pack virtualbox-qt vlan
xdg-desktop-portal xwayland
The following NEW packages will be installed:
initscripts insserv startpar sysv-rc
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
init systemd-sysv (due to init) |
|
|
|
Good Morning Hacktivist,
you must re-install the version 1.8.3-2 of iptables. In this case you must also downgrade to the elder versions of the other shown packets. I do the following:
1) apt-get install iptables=1.8.3-2 libip4tc2=1.8.3-2 libip6tc2=1.8.3-2 libiptc0=1.8.3-2 libxtables12=1.8.3-2
2) I restart my system
3) I re-enable my ufw. Allthing goes right
iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-logging-forward
-N ufw-before-input
-N ufw-before-output
-N ufw-before-forward
...
4) I make an update of my packet list and a dist-upgrade (apt-get update;apt-get dist-upgrade). The version 1.8.4-2 of iptables isn't seen:
espeak-ng-data exploitdb keyutils libbson-1.0-0 libcgi-pm-perl libespeak-ng1 libkeyutils1 libkeyutils1:i386 libmongoc-1.0-0 libnet-dns-sec-perl libpng-dev libpng-tools libpng16-16 libpng16-16:i386 liburi-perl login passwd python-cryptography python-passlib python3-cryptography python3-passlib
For rhertzog:
I believe, that the stuff of kali must do something, to remove the failing version of iptables from systems, where it is allready installed !!!
Bye
Rose |
|
|
|
root@localhost:~# ufw status verbose
Status: inactive
root@localhost:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
root@localhost:~# ufw default deny outgoing
Default outgoing policy changed to 'deny'
(be sure to update your rules accordingly)
root@localhost:~# ufw enable
Firewall is active and enabled on system startup
root@localhost:~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N ufw-before-logging-input
-N ufw-before-logging-output
-N ufw-before-logging-forward
-N ufw-before-input
-N ufw-before-output
-N ufw-before-forward
-N ufw-after-input
-N ufw-after-output
-N ufw-after-forward
-N ufw-after-logging-input
-N ufw-after-logging-output
-N ufw-after-logging-forward
-N ufw-reject-input
-N ufw-reject-output
-N ufw-reject-forward
-N ufw-track-input
-N ufw-track-output
-N ufw-track-forward
-N ufw-logging-deny
-N ufw-logging-allow
-N ufw-skip-to-policy-input
-N ufw-skip-to-policy-output
-N ufw-skip-to-policy-forward
-N ufw-not-local
-N ufw-user-input
-N ufw-user-output
-N ufw-user-forward
-N ufw-user-logging-input
-N ufw-user-logging-output
-N ufw-user-logging-forward
-N ufw-user-limit
-N ufw-user-limit-accept
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
root@localhost:~# ufw default deny incoming
Default incoming policy changed to 'deny'
(be sure to update your rules accordingly)
root@localhost:~# nano /etc/default/ufw
root@localhost:~# ufw reload
Firewall reloaded
root@localhost:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), deny (outgoing), disabled (routed)
New profiles: skip
root@localhost:~# ufw allow out on tun0 from any to any
Thanks for the hint! I forgot the =version |
|
|
|
Rose: stuff is not staff |
|
|
|
This will be properly fixed for everybody once 1.8.4-3 from Debian enters Kali. We will wait until it reaches testing. |
|
|
|
1.8.4-3 is in Debian testing |
|
