Preserving large iptables rulesets between updates

  • Hello,
    I have an larger iptables ruleset with ~15k lines and have problems keeping those rules when upgrading. The size of the iptables rules is irrelevant, I just want to preserve my custom settings.
    Also, every time the default iptables rules are applied (I think when the server traffic stats are calculated) I have to reload my rules or disable the crontab for the stats.
    Is there a way to make my rules persistent between stats and between upgrades?
    Thank you in advance!

  • badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Thank you for the reminder.


    • Your Distribution and its codename:
      Debian8 Jessie
    • The i-MSCP version in use:
      i-MSCP 1.3.16 (the behaviour has been the same since 1.2.x when I first tested iMSCP)
    • A understandable description of the problem
      I have an larger iptables ruleset with ~15k lines and have problems keeping those rules when upgrading. The size of the iptables rules is irrelevant, I just want to preserve my custom settings.
      Also, every time the default iptables rules are applied (I think when the server traffic stats are calculated) I have to reload my rules or disable the crontab for the stats.
      Is there a way to make my rules persistent between stats and between upgrades?
    • The exact steps to reproduce the problem
      1. I generate a large iptables ruleset that I add to the default iptables rules. All unwanted IPs are blocked successfully.


      2. Traffic accounting cron jobs (see below) reset the rules every 30 minutes
      #0,30 * * * * root perl /var/www/imscp/engine/traffic/imscp-srv-traff > /var/log/imscp/imscp-srv-traff.log 2>&1
      #0,30 * * * * root perl /var/www/imscp/engine/traffic/imscp-vrl-traff > /var/log/imscp/imscp-vrl-traff.log 2>&1

      3. The default rules are active, but the IPs from my rules are not blocked anymore


      When I add the rules to the file that generates the default iptables rulesets, it get overwritten by every update.
      The only workaround for me was to disable the traffic accounting crons, so my iptables rules could remain in place, but this way I lose stats.

    Thanks for any hint or guidance.

  • I generate a large iptables ruleset that I add to the default iptables rules.

    Please, show us your ruleset.


    I cannot reproduce the problem with 1.3.16. We are using fail2ban that comes with its own iptables rules. When we stop the imscp_traffic service, only the iptables rules for the i-MSCP server traffic accounting are removed. When we start the imscp_traffic service, the iptable rules for the i-MSCP server traffic accounting are re-added and the fail2ban iptables rules are left untouched. In action:


    Iptable rules before processing server traffic accounting:

    Shell-Script
    1. root@srv01:/home/nuxwin# iptables -LChain INPUT (policy ACCEPT)target prot opt source destinationIMSCP_INPUT all -- anywhere anywherefail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3sfail2ban-vsftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-datafail2ban-apache-overflows tcp -- anywhere anywhere multiport dports http,httpsfail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3sfail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submissionfail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports sshfail2ban-apache-nohome tcp -- anywhere anywhere multiport dports http,httpsfail2ban-apache-noscript tcp -- anywhere anywhere multiport dports http,httpsfail2ban-apache tcp -- anywhere anywhere multiport dports http,httpsfail2ban-ssh tcp -- anywhere anywhere multiport dports sshChain FORWARD (policy ACCEPT)target prot opt source destinationChain OUTPUT (policy ACCEPT)target prot opt source destinationIMSCP_OUTPUT all -- anywhere anywhereChain IMSCP_INPUT (1 references)target prot opt source destinationtcp -- anywhere anywhere tcp spt:submissiontcp -- anywhere anywhere tcp spt:urdtcp -- anywhere anywhere tcp spt:smtptcp -- anywhere anywhere tcp dpt:ftptcp -- anywhere anywhere tcp dpt:ftp-datatcp -- anywhere anywhere tcp dpt:imapstcp -- anywhere anywhere tcp dpt:pop3stcp -- anywhere anywhere tcp dpt:submissiontcp -- anywhere anywhere tcp dpt:urdtcp -- anywhere anywhere tcp dpt:smtptcp -- anywhere anywhere tcp dpt:imap2tcp -- anywhere anywhere tcp dpt:pop3tcp -- anywhere anywhere tcp dpt:httpstcp -- anywhere anywhere tcp dpt:httptcp -- anywhere anywhere tcp dpt:8443tcp -- anywhere anywhere tcp dpt:8880RETURN all -- anywhere anywhereChain IMSCP_OUTPUT (1 references)target prot opt source destinationtcp -- anywhere anywhere tcp dpt:submissiontcp -- anywhere anywhere tcp dpt:urdtcp -- anywhere anywhere tcp dpt:smtptcp -- anywhere anywhere tcp spt:ftptcp -- anywhere anywhere tcp spt:ftp-datatcp -- anywhere anywhere tcp spt:imapstcp -- anywhere anywhere tcp spt:pop3stcp -- anywhere anywhere tcp spt:submissiontcp -- anywhere anywhere tcp spt:urdtcp -- anywhere anywhere tcp spt:smtptcp -- anywhere anywhere tcp spt:imap2tcp -- anywhere anywhere tcp spt:pop3tcp -- anywhere anywhere tcp spt:httpstcp -- anywhere anywhere tcp spt:httptcp -- anywhere anywhere tcp spt:8443tcp -- anywhere anywhere tcp spt:8880RETURN all -- anywhere anywhereChain fail2ban-apache (1 references)target prot opt source destinationRETURN all -- anywhere anywhereChain fail2ban-apache-nohome (1 references)target prot opt source destinationRETURN all -- anywhere anywhereChain fail2ban-apache-noscript (1 references)target prot opt source destinationRETURN all -- anywhere anywhereChain fail2ban-apache-overflows (1 references)target prot opt source destinationRETURN all -- anywhere anywhereChain fail2ban-dovecot (1 references)target prot opt source destinationREJECT all -- 180.105.68.130 anywhere reject-with icmp-port-unreachableRETURN all -- anywhere anywhereChain fail2ban-postfix (1 references)target prot opt source destinationRETURN all -- anywhere anywhereChain fail2ban-sasl (1 references)target prot opt source destinationREJECT all -- dedic878.hidehost.net anywhere reject-with icmp-port-unreachableREJECT all -- dedic869.hidehost.net anywhere reject-with icmp-port-unreachableRETURN all -- anywhere anywhereChain fail2ban-ssh (1 references)target prot opt source destinationREJECT all -- 59.63.188.30 anywhere reject-with icmp-port-unreachableREJECT all -- 59.45.175.35 anywhere reject-with icmp-port-unreachableRETURN all -- anywhere anywhereChain fail2ban-ssh-ddos (1 references)target prot opt source destinationRETURN all -- anywhere anywhereChain fail2ban-vsftpd (1 references)target prot opt source destinationRETURN all -- anywhere anywhere


    Processing server traffic accounting

    Shell-Script
    1. root@srv01:/home/nuxwin# perl /var/www/imscp/engine/traffic/imscp-srv-traff -v[DEBUG] iMSCP::Bootstrapper::lock: Acquire exclusive lock on /tmp/imscp-srv-traff.lock[DEBUG] iMSCP::Bootstrapper::boot: Booting backend....[DEBUG] iMSCP::Config::_loadConfig: Tying /etc/imscp/imscp.conf file in readonly mode[DEBUG] iMSCP::Config::_loadConfig: Tying /etc/imscp/mysql/mysql.data file in readonly mode[DEBUG] iMSCP::Execute::execute: iptables -nvxL IMSCP_OUTPUT[DEBUG] main::run: Chain IMSCP_OUTPUT (1 references)pkts bytes target prot opt in out source destination0 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5870 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4650 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:250 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:210 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:200 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:9930 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:9950 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:5870 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:46513 713 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:2524 3374 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1430 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:110471 734305 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:44310 1450 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:800 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:84430 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:8880767 778811 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0[DEBUG] iMSCP::Execute::execute: iptables -nvxL IMSCP_INPUT[DEBUG] main::run: Chain IMSCP_INPUT (1 references)pkts bytes target prot opt in out source destination0 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:5870 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:4650 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:250 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:210 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:200 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9930 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9950 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5870 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:46513 593 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2528 2576 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1430 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110416 48637 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:44310 1255 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:800 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:84430 0 tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8880778 80828 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0[DEBUG] iMSCP::Service::__ANON__: Systemd init system has been detected[DEBUG] iMSCP::Execute::execute: /bin/systemctl --system is-active imscp_traffic.service[DEBUG] iMSCP::Provider::Service::Sysvinit::_exec: active[DEBUG] iMSCP::Execute::execute: /bin/systemctl restart imscp_traffic.service[DEBUG] iMSCP::Bootstrapper::unlock: Releasing exclusive lock on /tmp/imscp-srv-traff.lock


    Iptable rules after processing server traffic accounting:


    2. Traffic accounting cron jobs (see below) reset the rules every 30 minutes
    #0,30 * * * * root perl /var/www/imscp/engine/traffic/imscp-srv-traff > /var/log/imscp/imscp-srv-traff.log 2>&1
    #0,30 * * * * root perl /var/www/imscp/engine/traffic/imscp-vrl-traff > /var/log/imscp/imscp-vrl-traff.log 2>&1

    Only the first cron task involves iptables ;) The second one parse traffic from log files and has nothing to do with the imscp_traffic service ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Thank you. IIRC the custom rules were all added to the IMSCP_INPUT chain but will check it over the weekend.

    That is your mistake ;) Don't use the IMSCP_* chains. These chains are "owned" by i-MSCP. You must create your own chains and all will be ok. If we have not added our rules in default chains, that is not for nothing. That is the same thing for fail2ban. They are using their own chains.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206