Hello,
I am using systemd to start a custom firewall shell script at startup. Until now that was working fine but since systemd-249.15-150400.8.22.1.x86_64 outgoing packages are completely blocked when the script is started by systemd (tcpdump shows incoming but no outgoing packages). When the firewall script is started manually everything is working fine.
Does anybody have an idea what the problem might be?
This is the systemd service:
[Unit]
Description=Firewall
After=network.service
[Service]
Type=oneshot
ExecStart=/root/bin/firewall.sh start
RemainAfterExit=true
ExecStop=/root/bin/firewall.sh stop
StandardOutput=journal
[Install]
WantedBy=multi-user.target
This is (part of) the firewall script:
#!/bin/sh
LAN_IFACES="..."
LAN_IFACES="..."
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IFACES="eth0"
INET_IP="..."
IPTABLES="/usr/sbin/iptables"
IP6TABLES="/usr/sbin/ip6tables"
function iptables() {
runCmd=$1
shift
case ${runCmd} in
ip4) $IPTABLES "$@";;
ip6) $IP6TABLES "$@";;
ip46)
$IPTABLES "$@"
$IP6TABLES "$@"
;;
esac
}
function fw_start () {
echo "Starting firewall..."
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables ip4 -A icmp_packets -p icmp --icmp-type 0 -j ACCEPT #echo reply
iptables ip6 -A icmp_packets -p icmpv6 -j ACCEPT
#HTTP
iptables ip46 -A tcp_packets -p TCP --dport 80 -j allowed
...
echo " - setting default policies to DROP"
iptables ip46 -P INPUT DROP
iptables ip46 -P OUTPUT DROP
iptables ip46 -P FORWARD DROP
echo "..."
}
function fw_stop() {
echo "Shutting down firewall..."
iptables ip46 -P INPUT ACCEPT
iptables ip46 -F
iptables ip46 -X icmp_packets
...
}
function help() {
...
};
command=$1;
case "$command" in
start)
if [ -z "`"$IPTABLES" -L | grep "icmp_packets"`" ]; then
fw_start
else
echo "Error: firewall is already running!"
fi
;;
stop)
if [ -z "`"$IPTABLES" -L | grep "icmp_packets"`" ]; then
echo "Error: firewall is not running!"
else
fw_stop
fi
;;
restart)
$0 stop
$0 start
;;
*)
help
exit 1
esac