Search code examples
pythonlinuxpython-3.xiptablespython-iptables

Can't add rules to iptables, nothing gets committed

According to the documentation:rules, doing the following should add a simple rule to the iptables list of rules:

rule = iptc.Rule()
rule.src = "127.0.0.1"
rule.protocol = "udp"
rule.target = rule.create_target("ACCEPT")
match = rule.create_match("comment")
match.comment = "this is a test comment"
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), "INPUT")
chain.insert_rule(rule)

However, running this example, results in absolutely zero new rules.
I'm verifying this by doing:

iptables -L --line-number

Before I submit a bug issue, I'd like to know if anyone else has encountered this and if so, how you worked around it.

I'm running everything as root just to be on the safe side, I also tried verifying the rules by running another example code from the same section of the documentation:

table = iptc.Table(iptc.Table.FILTER)
for chain in table.chains:
    print ("=======================")
    print ("Chain ", chain.name)
    for rule in chain.rules:
        print ("Rule", "proto:", rule.protocol, "src:", rule.src, "dst:", \
                      rule.dst, "in:", rule.in_interface, "out:", rule.out_interface,)
        print ("Matches:")
        for match in rule.matches:
            print (match.name)
        print ("Target:"),
        print (rule.target.name)
print ("=======================")

(modified slightly to work with Python3).

This was to make sure there wasn't an issue with the auto-commit, however, still the same results. I will also point out that it did work for a short bit, for roughly 3 additions to iptables. And it might work to do a systemctl restart iptables, but I'd like to if possible - figure out why this is going wrong before I do the classic old "windows trick" of rebooting stuff. (nothing in journald/systemd either mentioning anything about iptables)

Solution

  • Seeing as @larsks couldn't reproduce the issue I dug a little further. It appears that a system update had been performed (classic mistake, I apologize).

    This causes the loaded kernel version to differ from the kernel module of iptables, there's some fixes in place that solves this issue using the iptables command so that you can still add rules.

    However, using the lib python-iptables does not work.
    What the actual difference is is beyond me, I dug a little bit but couldn't locate where this would cause an issue.

    Rebooting the machine in this instance is the only (to me known) way to solve this issue unfortunately. This is so that the loaded kernel module and installed tools match the version they're working against.

    (another solution would be to keep the old iptables command and libraries, meaning backing them up and pointing the libraries to the backed up version until a reboot can be made).