iptables rules without matching Packet Filter rules

[thorstenk]

Hi,

I noticed that the iptables output from our firewall shows rules which don't correspond to any Packet Filter rule set in our webadmin interface. The rules in question are

root@gateway ~# iptables --table filter --list
faccept    udp  --  anywhere             192.168.201.1        state NEW udp dpt:domain
faccept    tcp  --  anywhere             192.168.201.1        state NEW tcp dpt:domain
oaccept    udp  --  anywhere             192.168.201.1        state NEW udp dpt:domain
oaccept    tcp  --  anywhere             192.168.201.1        state NEW tcp dpt:domain

The IP address `192.168.201.1` does not match any interface configured on the host. How can I delete those rules?

[jbahillo]

Hello:

I supect they come from some module which you mayhave installed. Perhaps such address is in the range of OpenVPN network?

[thorstenk]

I uninstalled the OpenVPN module just to be sure. The tap0 interface has a `192.168.191.1` address. The `192.168.201.1` looks to me like an address the firewall previously had.

Is it possible to view or edit the rules - possibly in XML files - directly?

[jbahillo]

Hello. No, you must add/delete rules by adding iptables commands

(iptables -t filter -I -d 10.10.2.5 -j ACCEPT) for instance

You actually should include these rules in a postservice firewall hook.

I'm afraid that no XML would be possible

It looks to me strange this fact. Will not you have any object member with an address of this kind?

[thorstenk]

We definitely don't have any object with that IP address. This used to be the internal address of the Zentyal machine itself which acts as a DNS server. The iptables rules allow access to the DNS server from the internal network.

My question regarding "XML" was the following: the Zentyal configuration including the firewall rules have to be stored somewhere (possibly in XML files). Since the firewall rules are not visible in the webadmin interface, is it possible to delete these outdated rules by editing the files where they are stored?

[jbahillo]

Hello:

Such configuration is stored on redis database. I would suggest trying to avoid  editing it firectly as chances of corrupting it if you don't have clear what to do and how to do it are really high

[thorstenk]

I understand. I did a grep on the whole file system and the following files showed up:

/etc/dhcp/dhcpd.conf:option domain-name-servers 127.0.0.1, 192.168.201.1;

/run/resolvconf/interface/zentyal.dnsr1:nameserver 192.168.201.1

I changed the address but the changes were reverted after restarting the firewall (probably from the redis database). I reconfigured the DHCP service but to no avail. I guess we're stuck with these ghost rules...

[jbahillo]

Hello:

I think this is your old nameserver. Anyhow this doe snot look too important (it just allows DNS querys to that IP address)

In any case  you miught disbale DNS module and change your DNS server, or editi it on redis (if you go through this , please note that I cannot guarantee that you don't break server config)