Question

Hi,

I add the rule in /etc/firewall.user:

iptables -t filter -I INPUT 2 -s X.X.X.X/32 -j DROP.

After reboot or executing "/etc/init.d/firewall restart", this rule appears in output of the command "itables -t filter --list-rules":

..........

-N zone_wan_src_REJECT

-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule

......................

It`s all good. But later output of the command "itables -t filter --list-rules" changed:

..............................

-N zone_wan_src_REJECT

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT

-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT

.......................................

A few minutes later numbers of string "-A INPUT -s X.X.X.X/32 -j DROP" had increased even more...:

.......

-N zone_wan_src_REJECT

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT

-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT

...............

Why my rule from /etc/firewall.user dublicated ?

My device: Teltonika RUT900 3G ,fw: RUT9XX_R_00.06.09.2

Thanks!

Answer 1

Hello,

I was not able to replicate the issue. 

Could you tell, which device and which firmware did you experience this behavior?

Could you share a troubleshoot file? Please, replicate the issue, then access router's WebUI, go to System -> Administration -> Troubleshoot section and download troubleshoot file from there. The logs in the file might provide more insight into the issue.

Attached files are private and visible only to Teltonika Moderators.

Best regards,

Comments

Could you try this workaround:

iptables -t filter -C INPUT 2 -s X.X.X.X/32 -j DROP || iptables -t filter -I INPUT 2 -s X.X.X.X/32 -j DROP

to check the presence of the rule before (re)-adding it.

---

I has added your command string in /etc/firewall.user, but changed a little:

iptables -t filter -C INPUT -s X.X.X.X/32 -j DROP || iptables -t filter -I INPUT 2 -s X.X.X.X/32 -j DROP

and also I try this version: 

 iptables -t filter -C INPUT -s X.X.X.X/32 -j DROP || iptables -t filter -I INPUT 3 -s X.X.X.X/32 -j DROP

For both versions the output "iptables --list-rules":

................

-N zone_wan_src_REJECT

-A INPUT -s X.X.X.X/32 -j DROP

-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT

-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule

..........................................................

Yes! It does not change over time!

For some reason, position number of our rule in chain INPUT always 1? 

---

By default, -I INPUT sets the new rule at position 1. -I INPUT n sets it at position n.

---

yes, but my command was:

iptables -t filter -I INPUT 2 -s X.X.X.X/32 -j DROP  and

iptables -t filter -I INPUT 3 -s X.X.X.X/32 -j DROP

buy rule appears in position 1...?

---

No idea why the rule ends up in position 1. Is there something else manipulating the iptables ?

---

No, only my commands in the file /etc/firewall.user... everything else is by default.

it is not clear when exactly this file is executed and how many times.

I solved this problem to add my rules in file /etc/rc.local.

the rules stopped being duplicated.