Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Script not always called?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Mon Aug 17, 2015 2:23 am    Post subject: Script not always called? Reply with quote

I have a script in /etc/ppp/ip-up.d and another in /etc/ppp/ip-down.d to modify iptables rules for VPN connections. Below are the scripts.

This script sets up the firewall rule when a VPN connection is formed.
Code:

#!/bin/bash

# If the interface was specified, add the rule
if [ $# -eq 6 ] && [ ! -z "$1" ]; then
  iptables -A INPUT -i $1 -m state --state NEW -j ACCEPT
fi


Here is the one for clearing the rule once the interface goes away. This is the failing one.
Code:

#!/bin/bash

# If the interface was specified, delete the rule
if [ $# -eq 6 ] && [ ! -z "$1" ]; then
  iptables -D INPUT -i $1 -m state --state NEW -j ACCEPT
  logger "VPN DEBUG - Removed iptables rules for $1"
else
  logger "VPN DEBUG - Did not remove the iptables for $1"
  if [ $# -ne 6 ]; then
    logger "VPN DEBUG - Did not get six arguments"
  fi
fi


However, the script for clearing the rule is NOT always called for some reason. There is nothing logged in /var/log/messages meaning it is not even being called.

My iptables rules after two days of on/off usage. This is after a clean boot after being off all night.
Code:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 22,135,139,445,3389 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m multiport --dports 137,138,5060,7078,9078 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i ppp0 -m state --state NEW -j ACCEPT
-A INPUT -i ppp0 -m state --state NEW -j ACCEPT
-A INPUT -i ppp0 -m state --state NEW -j ACCEPT
-A INPUT -i ppp0 -m state --state NEW -j ACCEPT

I have no idea why it isn't being called at all. Can somebody help me figure this out?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14180

PostPosted: Mon Aug 17, 2015 2:29 am    Post subject: Reply with quote

What happens if you run it by hand with the correct arguments? Why are you adding and removing the rules at all? Is the interface name unpredictable?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Tue Aug 18, 2015 2:35 pm    Post subject: Reply with quote

It works flawlessly if I run it manually. The script to add the rules ALWAYS works. The reason that I do this is to allow ALL traffic on a PPP interface. I only use PPP for VPN connections to my office or a client location, so I am on a secure network. In other words, when a PPP connection comes up, I do not want it filtered by iptables. When it goes down I need to remove the rules. The interfaces show up as ppp<x> for my VPN connections.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14180

PostPosted: Tue Aug 18, 2015 11:34 pm    Post subject: Reply with quote

I understand that you need special rules for PPP traffic. I do not understand why you cannot leave those rules loaded indefinitely, and let them be ignored when there is no PPP interface. If your VPN links are always named pppN, you can use the wildcard interface name ppp+ in iptables to match all VPN links.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Wed Aug 19, 2015 1:58 pm    Post subject: Reply with quote

I have had issues in the past where setting a rule for a non-existent interface would throw/log a warning or even not work. This may not be the case now, but here is another reason to solve this: It is not working. Something is broken and I am not sure what it is. All of the scripts in ip-up.d get called, so why do the ones in ip-down.d only get called when the system feels like it? This is an issue. While I may have a workaround now, others may need this functionality.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Wed Aug 19, 2015 4:33 pm    Post subject: Reply with quote

Are you sure your script is marked executable?

We can get to the scripting part after you've got it reliably invoked.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Thu Aug 20, 2015 1:08 pm    Post subject: Reply with quote

The script is marked 755, executable. Note that the script logs everything, so I only have to grep for the phrase "VPN DEBUG". It simply does not appear to always get called. I did take Hu's advice and modified my firewall as follows.
Code:

~ $ sudo iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A INPUT -p gre -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 22,135,139,445,3389 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m multiport --dports 137,138,5060,7078,9078 -j ACCEPT
-A INPUT -i ppp+ -j ACCEPT
-A INPUT -i lo -j ACCEPT

Not sure if that is correct, but so far so good. Right now I just want to know why the script is not being called when a VPN connection goes down. Rather, why it is not called every time, only half the time. Note that if the script is not called with six arguments it logs that too, so there is no reason that the script should not log SOMETHING, even if it is called incorrectly.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Tue Aug 25, 2015 1:04 pm    Post subject: Reply with quote

So nobody can explain why the script(s) in /etc/ppp/ip-down.d/ are not being called every time a PPP device is removed?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6294

PostPosted: Tue Aug 25, 2015 8:44 pm    Post subject: Reply with quote

The calling of the scripts is not directly related to the interface going up or down.
The scripts are actually called by pppd. So, for instance, if pppd dies unexpectedly or is killed, the scripts are not called. Similarly, if something else than pppd brings up or down the interface.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1396
Location: Fayetteville, NC, USA

PostPosted: Wed Aug 26, 2015 7:34 pm    Post subject: Reply with quote

That explains it. Some clients use Watchguard routers which do PPTP VPN. For some reason a few of these will cause pppd to just disappear (terminate?) the first time you try connecting. Trying a second time and every time afterwards works. Thanks for the info!
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum