Discussion:
[Shorewall-users] ERROR: iptables-restore Failed.
Csányi Pál
2016-12-09 08:41:04 UTC
Permalink
Hi,

I'm running Shorewall 5.0.11 on Gentoo linux system. This is on my laptop.

Today I realize that that I can't start shorewall service on my system.

I recently build my new kernel:
4.4.26-gentoo #1 SMP

When I check shorewall settings with
# shorewall chec
then everything is right.

But, when I start shorewall with command:
# shorewall start
and get messages:

Compiling using Shorewall 5.0.11...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Compiling /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling Accept Source Routing...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/conntrack...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /usr/share/shorewall/action.Drop for chain Drop...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
Generating Rule Matrix...
Compiling /usr/share/shorewall/action.Reject for chain Reject...
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Preparing iptables-restore input...
Running /sbin/iptables-restore ...
iptables-restore: line 195 failed
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/tcclear ...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
IPv4 Forwarding Disabled!
Processing /etc/shorewall/stopped ...
/usr/share/shorewall/lib.common: 93. sor: 6892 Finished
$SHOREWALL_SHELL $script $options $@

I am trying to follow this:
http://www.shorewall.net/troubleshoot.htm

Here I found that that maybe the cause of this error is the REJECT
support in kernel.
In the
/var/lib/shorewall/.iptables-restore-input
file at line 195 is only:
COMMIT

In kernel config I have these lines with REJECT:

# Core Netfilter Configuration
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m

# IP: Netfilter Configuration
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NF_REJECT_IPV4=m
CONFIG_IP_NF_TARGET_REJECT=m

# IPv6: Netfilter Configuration
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NF_REJECT_IPV6=m
# CONFIG_NFT_BRIDGE_REJECT is not set

What can I do to solve my problem?
--
Best, Pali
Thomas Deutschmann
2016-12-09 10:57:56 UTC
Permalink
Hi,
Post by Csányi Pál
Hi,
I'm running Shorewall 5.0.11 on Gentoo linux system. This is on my laptop.
Today I realize that that I can't start shorewall service on my system.
I recently build my new kernel: 4.4.26-gentoo #1 SMP
[..,]
http://www.shorewall.net/troubleshoot.htm
Here I found that that maybe the cause of this error is the REJECT
support in kernel. In the
/var/lib/shorewall/.iptables-restore-input file at line 195 is
only: COMMIT
Have you tried running `shorewall debug restart` like written in the
troubleshooting guide? This should show you exactly the rule which is
failing.

If you think this is related to REJECT target, check if "ipt_REJECT"
kernel module is loaded using "lsmod".


- --
Regards,
Thomas
Tom Eastep
2016-12-09 16:15:33 UTC
Permalink
Post by Thomas Deutschmann
Hi,
Post by Csányi Pál
Hi,
I'm running Shorewall 5.0.11 on Gentoo linux system. This is on my laptop.
Today I realize that that I can't start shorewall service on my system.
I recently build my new kernel: 4.4.26-gentoo #1 SMP
[..,]
http://www.shorewall.net/troubleshoot.htm
Here I found that that maybe the cause of this error is the
REJECT support in kernel. In the
/var/lib/shorewall/.iptables-restore-input file at line 195 is
only: COMMIT
Have you tried running `shorewall debug restart` like written in
the troubleshooting guide? This should show you exactly the rule
which is failing.
If you think this is related to REJECT target, check if
"ipt_REJECT" kernel module is loaded using "lsmod".
The system log can also give clues in this case.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Csányi Pál
2016-12-09 17:49:04 UTC
Permalink
Hi Tomas,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
Post by Csányi Pál
Hi,
I'm running Shorewall 5.0.11 on Gentoo linux system. This is on my laptop.
Today I realize that that I can't start shorewall service on my system.
I recently build my new kernel: 4.4.26-gentoo #1 SMP
[..,]
http://www.shorewall.net/troubleshoot.htm
Here I found that that maybe the cause of this error is the REJECT
support in kernel. In the
/var/lib/shorewall/.iptables-restore-input file at line 195 is
only: COMMIT
Have you tried running `shorewall debug restart` like written in the
troubleshooting guide? This should show you exactly the rule which is
failing.
I just run it and get that rule:

iptables: No chain/target/match by that name.
ERROR: Command "/sbin/iptables --wait -t filter -A INPUT -j LOG
--log-level 6 --log-prefix "Shorewall:INPUT:REJECT:"" Failed
If you think this is related to REJECT target, check if "ipt_REJECT"
kernel module is loaded using "lsmod".
nf_reject_ipv4 16384 1 ipt_REJECT

so I think the ipt_REJECT kernel module is loaded.

I'm running syslog-ng.
In it's log I find aonly two lines when started Shorewall:
ec 9 18:48:01 cspg pali[5475]: ERROR:Shorewall start failed
Dec 9 18:48:01 cspg pali[5502]: Shorewall Stopped
--
Best, Pali
Tom Eastep
2016-12-09 17:55:10 UTC
Permalink
Post by Csányi Pál
Hi Tomas,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
Post by Csányi Pál
Hi,
I'm running Shorewall 5.0.11 on Gentoo linux system. This is on my laptop.
Today I realize that that I can't start shorewall service on
my system.
I recently build my new kernel: 4.4.26-gentoo #1 SMP
[..,]
http://www.shorewall.net/troubleshoot.htm
Here I found that that maybe the cause of this error is the
REJECT support in kernel. In the
/var/lib/shorewall/.iptables-restore-input file at line 195 is
only: COMMIT
Have you tried running `shorewall debug restart` like written in
the troubleshooting guide? This should show you exactly the rule
which is failing.
iptables: No chain/target/match by that name. ERROR: Command
"/sbin/iptables --wait -t filter -A INPUT -j LOG --log-level 6
--log-prefix "Shorewall:INPUT:REJECT:"" Failed
If you think this is related to REJECT target, check if
"ipt_REJECT" kernel module is loaded using "lsmod".
nf_reject_ipv4 16384 1 ipt_REJECT
so I think the ipt_REJECT kernel module is loaded.
I'm running syslog-ng. In it's log I find aonly two lines when
started Shorewall: ec 9 18:48:01 cspg pali[5475]: ERROR:Shorewall
start failed Dec 9 18:48:01 cspg pali[5502]: Shorewall Stopped
Your kernel doesn't have logging support.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Thomas Deutschmann
2016-12-09 18:18:39 UTC
Permalink
Post by Csányi Pál
iptables: No chain/target/match by that name. ERROR: Command
"/sbin/iptables --wait -t filter -A INPUT -j LOG --log-level 6
--log-prefix "Shorewall:INPUT:REJECT:"" Failed
Like Tom already said you probably don't have LOG support in your
kernel. Please check for "xt_LOG" module (aka "ipt_LOG").

Look for CONFIG_NETFILTER_XT_TARGET_LOG in your kernel config.


- --
Regards,
Thomas
Csányi Pál
2016-12-09 18:35:09 UTC
Permalink
Hi Tom & Thomas,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Post by Csányi Pál
iptables: No chain/target/match by that name. ERROR: Command
"/sbin/iptables --wait -t filter -A INPUT -j LOG --log-level 6
--log-prefix "Shorewall:INPUT:REJECT:"" Failed
Like Tom already said you probably don't have LOG support in your
kernel. Please check for "xt_LOG" module (aka "ipt_LOG").
Look for CONFIG_NETFILTER_XT_TARGET_LOG in your kernel config.
Indeed, in my kernel this option was not enabled.
I just enabled it <M> CONFIG_NETFILTER_XT_TARGET_LOG

and now I am waiting for the kernel build to be complete.
Then shall reboot my system and see what is in /var/log/message logfile.
--
Best, Pali
Csányi Pál
2016-12-09 20:21:36 UTC
Permalink
Post by Csányi Pál
Hi Tom & Thomas,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Post by Csányi Pál
iptables: No chain/target/match by that name. ERROR: Command
"/sbin/iptables --wait -t filter -A INPUT -j LOG --log-level 6
--log-prefix "Shorewall:INPUT:REJECT:"" Failed
Like Tom already said you probably don't have LOG support in your
kernel. Please check for "xt_LOG" module (aka "ipt_LOG").
Look for CONFIG_NETFILTER_XT_TARGET_LOG in your kernel config.
Indeed, in my kernel this option was not enabled.
I just enabled it <M> CONFIG_NETFILTER_XT_TARGET_LOG
and now I am waiting for the kernel build to be complete.
Then shall reboot my system and see what is in /var/log/message logfile.
This is interesting. After I rebuilded my kernel with
CONFIG_NETFILTER_XT_TARGET_LOG enabled and restarted my Gentoo linux
system, Shorewall started at boot successfully.

cspg pali # shorewall status
Shorewall-5.0.11 Status at cspg - 2016. dec. 9., péntek, 21.15.56 CET

Shorewall is running
State:Started 2016. dec. 9., péntek, 21.13.16 CET from
/etc/shorewall/ (/var/lib/shorewall/firewall compiled 2016. dec. 9.,
péntek, 21.13.16 CET by Shorewall version 5.0.11)

What happened so the problem disappeared?

However, in /var/log/messages where syslog-ng reports log there is no
changes regarding shorewall start:
Dec 9 21:18:06 cspg pali[5728]: Shorewall Stopped
Dec 9 21:18:07 cspg pali[6008]: Shorewall started

lsmod shows this:
xt_NFLOG 16384 0
nfnetlink_log 20480 1 xt_NFLOG
xt_LOG 16384 7

I think these are related with the compiled kernel module
CONFIG_NETFILTER_XT_TARGET_LOG, right?

So, the problem is solved, but do not know how?
--
Best, Pali
Tom Eastep
2016-12-09 22:27:18 UTC
Permalink
Post by Csányi Pál
Post by Csányi Pál
Hi Tom & Thomas,
2016-12-09 19:18 GMT+01:00 Thomas Deutschmann
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Post by Csányi Pál
iptables: No chain/target/match by that name. ERROR: Command
"/sbin/iptables --wait -t filter -A INPUT -j LOG --log-level
6 --log-prefix "Shorewall:INPUT:REJECT:"" Failed
Like Tom already said you probably don't have LOG support in
your kernel. Please check for "xt_LOG" module (aka "ipt_LOG").
Look for CONFIG_NETFILTER_XT_TARGET_LOG in your kernel config.
Indeed, in my kernel this option was not enabled. I just enabled
it <M> CONFIG_NETFILTER_XT_TARGET_LOG
and now I am waiting for the kernel build to be complete. Then
shall reboot my system and see what is in /var/log/message
logfile.
This is interesting. After I rebuilded my kernel with
CONFIG_NETFILTER_XT_TARGET_LOG enabled and restarted my Gentoo
linux system, Shorewall started at boot successfully.
cspg pali # shorewall status Shorewall-5.0.11 Status at cspg -
2016. dec. 9., péntek, 21.15.56 CET
Shorewall is running State:Started 2016. dec. 9., péntek, 21.13.16
CET from /etc/shorewall/ (/var/lib/shorewall/firewall compiled
2016. dec. 9., péntek, 21.13.16 CET by Shorewall version 5.0.11)
What happened so the problem disappeared?
However, in /var/log/messages where syslog-ng reports log there is
no changes regarding shorewall start: Dec 9 21:18:06 cspg
Shorewall started
lsmod shows this: xt_NFLOG 16384 0 nfnetlink_log
20480 1 xt_NFLOG xt_LOG 16384 7
I think these are related with the compiled kernel module
CONFIG_NETFILTER_XT_TARGET_LOG, right?
So, the problem is solved, but do not know how?
The lack of the xt_LOG module did not generate any log messages, but
it prevented the firewall from starting. Now that the module is
available, the firewall is able to start normally.

- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Csányi Pál
2016-12-10 06:54:14 UTC
Permalink
Hi Tom & Thomas,
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Csányi Pál
Post by Csányi Pál
Hi Tom & Thomas,
2016-12-09 19:18 GMT+01:00 Thomas Deutschmann
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Post by Csányi Pál
iptables: No chain/target/match by that name. ERROR: Command
"/sbin/iptables --wait -t filter -A INPUT -j LOG --log-level
6 --log-prefix "Shorewall:INPUT:REJECT:"" Failed
Like Tom already said you probably don't have LOG support in
your kernel. Please check for "xt_LOG" module (aka "ipt_LOG").
Look for CONFIG_NETFILTER_XT_TARGET_LOG in your kernel config.
Indeed, in my kernel this option was not enabled. I just enabled
it <M> CONFIG_NETFILTER_XT_TARGET_LOG
and now I am waiting for the kernel build to be complete. Then
shall reboot my system and see what is in /var/log/message
logfile.
This is interesting. After I rebuilded my kernel with
CONFIG_NETFILTER_XT_TARGET_LOG enabled and restarted my Gentoo
linux system, Shorewall started at boot successfully.
cspg pali # shorewall status Shorewall-5.0.11 Status at cspg -
2016. dec. 9., péntek, 21.15.56 CET
Shorewall is running State:Started 2016. dec. 9., péntek, 21.13.16
CET from /etc/shorewall/ (/var/lib/shorewall/firewall compiled
2016. dec. 9., péntek, 21.13.16 CET by Shorewall version 5.0.11)
What happened so the problem disappeared?
However, in /var/log/messages where syslog-ng reports log there is
no changes regarding shorewall start: Dec 9 21:18:06 cspg
Shorewall started
lsmod shows this: xt_NFLOG 16384 0 nfnetlink_log
20480 1 xt_NFLOG xt_LOG 16384 7
I think these are related with the compiled kernel module
CONFIG_NETFILTER_XT_TARGET_LOG, right?
So, the problem is solved, but do not know how?
The lack of the xt_LOG module did not generate any log messages, but
it prevented the firewall from starting. Now that the module is
available, the firewall is able to start normally.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
Thank you very much for help!
--
Best, Pali
Loading...