2

Problem: iptables cannot be changed. On my computer, I can run iptables -F. iptables -L shows it is flushed.

When any packets come into or out of the machine, all rules are back! The same behaviour happens if I do a iptables-restore < new_settings. They are there for a second, but once a packet comes through iptables it reverts.

I'm using debian 8 the OS was an upgrade from debian 7. It is someone else's computer originally.

What I've checked, thinking it would be one of these things:

  • iptables-persistent isn't present
  • /etc/iptables/ does not exist
  • When I look at systemctl processes there isn't even anything with ip in it's name

/# systemctl --all | grep ip run-rpc_pipefs.mount loaded active mounted /run/rpc_pipefs systemd-initctl.socket loaded active listening /dev/initctl Compatibility Named Pipe

  • There is no # firewalld on the system.

Where can we find services or something that is changing system configs?

Jono
  • 131
  • 4

2 Answers2

2

Maybe you could use audit. Fedora enables it by default, and it floods the journal with NETFILTER_CFG lines.

See this question:

Audit on changes to the running iptables configuration

In the example shown, the relevant process is iptables, which may not be very helpful. However it also records ppid, the parent process (as well as the obvious pid).

In case the parent process also exits immediately...

You could easily use process accounting (acct package) to track the names of every exiting process (lastcomm command). However that's less information than you might think. I'm thinking of "bash" here.

It might be better to run fatrace to track opened files, which includes program execution. Just don't try to pipe it e.g. through grep - it will fail to generate any output, I don't know why.

There's also a page on execsnoop. If you can use that program, or any of the alternatives it suggests, that would be the easiest to interpret.

Technically I haven't allowed for fork(). But I can't think of a good reason why you would fork() without exec() in order to create netfilter rules.

Community
  • 1
sourcejedi
  • 48,311
  • 17
  • 143
  • 296
  • Thank you for trying! The issue I was having is I wasn't sure which file was being opened (like with `Fat Trace`). Also the iptables process was always running and difficult to see when something odd was happening because it was dealing with a fair bit of traffic. – Jono May 18 '16 at 18:37
1

TL;DR when you're having strange problems with config files changing all the time check your /etc/network/if-*.d files, if you've already checked systemd configs.

Turns out another option for where something can change the iptables command (or really anything) is in the if-up.d or if-down.d folders which deal make changes based on internet connectivity.

In /etc/network/ there was a folder for both if-pre-up.d, if-up.d, etc.

Each contains a set of scripts to run when the if-* condition is met. So whenever internet connections changed (which seemed to be any change in the iptables) it would run a script which /sbin/iptables-restore < /etc/network/iptables which reset the iptables with the file iptables in /etc/network/.

Jono
  • 131
  • 4