Why is 1 rule repeated multiple times in iptables?

J

jidckii2015-01-29 19:49:02

linux

jidckii, 2015-01-29 19:49:02

Good day to all.
There is such a problem that 1 and the same rule is repeated 3 times in the iptables rules.
Home router on debian, NAT is up.

$ cat /etc/nat 
#!/bin/bash

# Правила для NAT IPv4

# Разрешаем трафик на внутреннем петлевом интерфейсе (lo)
iptables -A INPUT -i lo -j ACCEPT
# Разрешаем доступ из внутренней сети в интернет
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Включаем маскарадинг
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
# Разрешаем ответы из внешней сети
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Рубим доступ из и-нет во внутреннюю сеть
#iptables -A FORWARD -i eth0 -o eth1 -j REJECT - drop igmp traffic(IPTV)
# Добавляем маршрут для IPTV
#ip route add 224.0.0.0/4 dev eth0


# правила для VPN
iptables -A INPUT -p gre -j ACCEPT
iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Правила для igmpproxy
modprobe ipt_TTL
iptables -t filter -A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
iptables -t filter -A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
iptables -t filter -A FORWARD -d 224.0.0.0/4 -j ACCEPT
iptables -t filter -A FORWARD -s 224.0.0.0/4 -j ACCEPT
iptables -t mangle -A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1

# Ограничивает колличество одновременных подключений к Astra (iptv)
iptables -I INPUT -p tcp --syn --dport 3690 -m connlimit --connlimit-above 10 -j DROP

There is a symlink to this file in /etc/network/if-pre-up.d/

:/etc/network/if-pre-up.d$ la
bridge -> /lib/bridge-utils/ifupdown.sh*
ethtool*
nat -> /etc/nat*
vde2*

The bottom line is that if the system starts from scratch, then the following picture is in the iptables rules:

$ sudo iptables-save 
# Generated by iptables-save v1.4.14 on Thu Jan 29 21:30:13 2015
*mangle
:PREROUTING ACCEPT [241166:152040164]
:INPUT ACCEPT [64422:11113521]
:FORWARD ACCEPT [175517:139839673]
:OUTPUT ACCEPT [65216:16069069]
:POSTROUTING ACCEPT [241204:155970430]
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
COMMIT
# Completed on Thu Jan 29 21:30:13 2015
# Generated by iptables-save v1.4.14 on Thu Jan 29 21:30:13 2015
*nat
:PREROUTING ACCEPT [12621:2045748]
:INPUT ACCEPT [9847:855651]
:OUTPUT ACCEPT [3288:284853]
:POSTROUTING ACCEPT [3320:288655]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 16270 -j DNAT --to-destination 192.168.0.3:16270
-A PREROUTING -i eth0 -p udp -m udp --dport 16270 -j DNAT --to-destination 192.168.0.3:16270
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Jan 29 21:30:13 2015
# Generated by iptables-save v1.4.14 on Thu Jan 29 21:30:13 2015
*filter
:INPUT ACCEPT [58824:10051527]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [64715:15976145]
-A INPUT -p tcp -m tcp --dport 3690 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -p tcp -m tcp --dport 3690 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -p tcp -m tcp --dport 3690 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -p tcp -m tcp --dport 3690 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
-A FORWARD -d 192.168.0.3/32 -p tcp -m tcp --dport 16270 -j ACCEPT
-A FORWARD -d 192.168.0.3/32 -p udp -m udp --dport 16270 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
COMMIT
# Completed on Thu Jan 29 21:30:13 2015

Because of this, for some reason, multicast stops working.
carcass all the rules:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

I reboot the network:
$ sudo service networking restart
And I get not a 4-time repeating rule, but 3 times:

$ sudo iptables-save 
# Generated by iptables-save v1.4.14 on Thu Jan 29 21:31:58 2015
*mangle
:PREROUTING ACCEPT [261:39758]
:INPUT ACCEPT [199:22845]
:FORWARD ACCEPT [62:16913]
:OUTPUT ACCEPT [187:39130]
:POSTROUTING ACCEPT [274:60431]
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
COMMIT
# Completed on Thu Jan 29 21:31:58 2015
# Generated by iptables-save v1.4.14 on Thu Jan 29 21:31:58 2015
*nat
:PREROUTING ACCEPT [47:4475]
:INPUT ACCEPT [40:3395]
:OUTPUT ACCEPT [7:536]
:POSTROUTING ACCEPT [7:536]
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Jan 29 21:31:58 2015
# Generated by iptables-save v1.4.14 on Thu Jan 29 21:31:58 2015
*filter
:INPUT ACCEPT [206:22652]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [200:41262]
-A INPUT -p tcp -m tcp --dport 3690 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -p tcp -m tcp --dport 3690 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -p tcp -m tcp --dport 3690 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 --connlimit-saddr -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
COMMIT
# Completed on Thu Jan 29 21:31:58 2015

After that, the multicast starts working.
But I'm still not sure that all this is correct and correct.
Tell me what's wrong? and how to decide or how to do it right?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Vladimir, 2015-01-29
@jidckii

install iptables-persistent from the turnip
or learn to determine in the script for which interface you need to enable certain rules
, when you raise 4 interfaces, the script is executed 4 times

L

larrabee, 2015-01-30
@larrabee

If you have CentOS/Fedora there is a built in script. Service iptables save is called.