dfw in iptables mode can't find iptables-restore

Question

dfw in iptables mode can't find iptables-restore

Closed this issue 4 years ago · 8 comments

Trying out new dfw version but I'm stuck at the beginning. Using a blank .toml file.
Tried 1.2.0-rc.3, 1.2.0-rc.2 and 1.2.0-rc.1, none working
compose config:

dfw:
  cap_add:
   - NET_ADMIN
  command: --firewall-backend iptables --config-file /config/dfw.toml --log-level debug
  #command: --config-file /config/dfw.toml --log-level debug
  container_name: dfw
  image: pitkley/dfw
  network_mode: "host"
  restart: always
  volumes:
   - ${timezone}
   - ${localtime}
   - /var/run/docker.sock:/var/run/docker.sock
   - /opt/dfw/dfw.toml:/config/dfw.toml

log output:

dfw                     | May 31 09:19:16.173 INFO Starting processing, started_processing_at: 2020-05-31T7:19:16+0000, module: dfw::iptables::process:20
dfw                     | May 31 09:19:16.173 DEBG Starting sub-processing, part: global_defaults, module: dfw::iptables::process:193
dfw                     | May 31 09:19:16.173 INFO Finished processing, finished_processing_at: 2020-05-31T7:19:16+0000, module: dfw::iptables::process:130
dfw                     | May 31 09:19:16.173 INFO Applying IPv4 rules (using iptables-restore), module: dfw::iptables:50
dfw                     | May 31 09:19:16.175 ERRO Encountered error, backtrace: , error: No such file or directory (os error 2), module: dfw:561

Problem on my side? iptables-restore is available on my host (Debian 10.4) and working

Answer 1 · 2020-05-31T07:32:20.000Z

@cybermcm thanks so much for trying! The problem is definitely in the Docker image. I'll let you know once I've fixed it. 👍

Answer 2 · 2020-05-31T11:39:50.000Z

@cybermcm version 1.2.0-rc.4 is live on Docker Hub, the issue you see should be fixed. 👍

Answer 3 · 2020-05-31T11:51:34.000Z

yes, this one is gone, another one popped up, at least with a blank .toml and clean iptables:

dfw              | May 31 11:49:31.307 INFO Applying IPv4 rules (using iptables-restore), module: dfw::iptables:50
dfw              | May 31 11:49:31.309 INFO Applying IPv6 rules (using ip6tables-restore), module: dfw::iptables:55
dfw              | May 31 11:49:31.310 ERRO Encountered error, backtrace: , error: ip6tables-restore failed: 'modprobe: can't change directory to '/lib/modules': No such file or directory
dfw              | ip6tables-restore v1.8.4 (legacy): ip6tables-restore: unable to initialize table 'filter'
dfw              |
dfw              | Error occurred at line: 1
dfw              | Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.', module: dfw:561
dfw exited with code 0

Answer 4 · 2020-05-31T12:23:33.000Z

AFAICT this is a host-issue where you don't have the kernel-modules loaded that are required for ip6tables to work. On Buster that is to be expected, given that they switched to nftables by default.

The reason this fails in DFW is that the container doesn't have the kernel-modules available and that it can't load modules for the host by default.

To verify this is actually the issue you can run lsmod | grep ip6. If you get no output, the modules are not loaded. To test if loading them fixes your issues, you can execute modprobe -a ip6table_filter ip6table_nat to load the modules and run DFW again afterwards.

If you want to make this permanent, you have two options:

Add e.g. a /etc/modules-load.d/ip6tables.conf to your host with the following content:
```
ip6table_filter
ip6table_nat
```

Give the DFW-container the ability to load the modules it needs by itself:

docker run -d \
    --name=dfw \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    -v /lib/modules:/lib/modules:ro \
    -v /path/to/your/config:/config \
    --net host --cap-add=NET_ADMIN --cap-add=SYS_MODULE \
    pitkley/dfw:1.2.0-rc.4 --firewall-backend iptables --config-path /config

The important additions to the Docker command above are:

-v /lib/modules:/lib/modules:ro
--cap-add=SYS_MODULE

Answer 5 · 2020-05-31T15:27:17.000Z

Thanks for the detailed info, I got it working with your comment. Maybe you should add this to some readme?
Issue can be closed in my point of view

Answer 6 · 2020-05-31T15:37:17.000Z

@cybermcm thank you for confirming. I'll close the issue once I have this documented somewhere. 🙂

Answer 7 · 2020-06-18T01:55:32.000Z

Hmmm, I'm still having this issue. Trying to run the latest dfw both natively on Debian Buster and inside a Docker container. The error message I get is:

Jun 17 21:53:35.340 INFO Starting processing, started_processing_at: 2020-06-18T1:53:35+0000, module: dfw::iptables::process:20
Jun 17 21:53:35.340 DEBG Starting sub-processing, part: global_defaults, module: dfw::iptables::process:193
Jun 17 21:53:35.341 INFO Finished processing, finished_processing_at: 2020-06-18T1:53:35+0000, module: dfw::iptables::process:130
Jun 17 21:53:35.341 INFO Applying IPv4 rules (using iptables-restore), module: dfw::iptables:50
Jun 17 21:53:35.367 ERRO Encountered error, backtrace: , error: iptables-restore failed: '', module: dfw:561

Answer 8 · 2020-06-22T18:44:45.000Z

@azurefreecovid how are you running DFW and which version are you using? If you are running it locally you can execute dfw --version to see the version, in case of the Docker image you can use something like this:

docker run -d \
    --name=dfw \
    -v /var/run/docker.sock:/var/run/docker.sock:ro \
    -v /lib/modules:/lib/modules:ro \
    -v /path/to/your/config:/config \
    --net host --cap-add=NET_ADMIN --cap-add=SYS_MODULE \
    pitkley/dfw:1.2.0-rc.6 --version

(Although in this case the version is part of the image-name, so the output would be self-explanatory.)