IPTABLE Postrouting Rules- How to add?

linds1234 · 15. April 2019

Hi OMV Gurus,

I'm trying to limit the upload rate of the proftpd server on my OMV box.

Trying to achieve exactly this:

https://forum.openmediavault.o…e-ProFTPd-service-itself/

By following this guide:

https://www.cyberciti.biz/faq/…ng-ftp-server-port-21-22/

How would I go about adding this section to iptables in OMV?:

Code

/sbin/iptables -A POSTROUTING -t mangle -o eth0 -p tcp -m multiport --sports 21,40000:41000 -j MARK --set-xmark 101 


/sbin/iptables -A POSTROUTING -t mangle -o eth0 -p tcp -m multiport --sports 21,40000:41000 -j RETURN

The OMV WebUI doesn't seem to cater for such rules...

If the guide(s) are out-dated here and there is a better way to implement these Traffic Control rules feel free to suggest a better way.

Thank you,
Lindsay

subzero79 · 15. April 2019

Zitat von linds1234

The OMV WebUI doesn't seem to cater for such rules...

You are correct the omv interface only manages INPUT/OUTPUT chains. You need to maintain your own set of scripts to load your NAT table rules.

Please take a look at iptables-persistent debian package. Do not attempt to use both the persistent commands and omv interface for the INPUT/OUTPUT chain they will get flushed on firewall changes in the omv interface

linds1234 · 15. April 2019

Thanks @subzero79

To make sure I'm understanding this correctly:

I installed iptables-persistent, it created a file called /etc/iptables/rules.v4. It gave me the option to import the current rules, I chose yes. Looking at the file it has indeed imported the current rules.

Now on reboot, OMV will be reading these rules by default, but if anything is changed via the GUI, they won't take effect as OMV is now forced to read rules.v4 only? Or will OMV only pick up rules in rules.v4 that aren't INPUT/OUTPUT Chains?

In that case should I *only* put these custom rules in /etc/iptables/rules.v4 ?

Thanks for your patience, my iptables knowledge is not the best.

subzero79 · 15. April 2019

Zitat von linds1234

Now on reboot, OMV will be reading these rules by default

no, any rules you add via the panel are stored in the internal database, it doesn't read from the iptables command, so whatever shows in the gui is what has been configured through the GUI. Can't remember the mechanism used to load them on boot, but only does INPUT/OUTPUT manipulation

Zitat von linds1234

Or will OMV only pick up rules in rules.v4 that aren't INPUT/OUTPUT Chains?

It will not. Read above

Just for now given that you want to maintain some complex rules, forget about the panel use your own set of scripts.

If you add rules in persistent folder for INPUT/OUPUT chain and then try to add more via omv, ALL INPUT/OUTPUT rules will be flushed, and put only what is configured from the webui

linds1234 · 15. April 2019

Thanks @subzero79

So close yet so far, can't crack it

I've got netfilter-persistent + iptables-persistent installed (apparently both is needed in debian now)

I run the commands in this order:

First I add the rules:

Code

-A POSTROUTING -t mangle -o eth0 -p tcp -m multiport --sports 21,40000:41000 -j MARK --set-xmark 101


-A POSTROUTING -t mangle -o eth0 -p tcp -m multiport --sports 21,40000:41000 -j RETURN

Typing iptables-save shows them listed there.

Then I've tried saving them to the rule-set by either one of these methods:

Code

iptables-save > /etc/iptables/rules.v4

(which copies it across no problems)- the entry then appends a section at the bottom of rules.v4 that looks like this:

Code

*mangle


:PREROUTING ACCEPT [1986:369591]
:INPUT ACCEPT [1983:369186]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1498:218276]
:POSTROUTING ACCEPT [1642:255578]


-A POSTROUTING -o eth0 -p tcp -m multiport --sports 21,40000:41000 -j MARK --set-xmark 0x65/0xfffff$


-A POSTROUTING -o eth0 -p tcp -m multiport --sports 21,40000:41000  -j RETURN


COMMIT

Alles anzeigen

Then I attempt to below to make the rules "live":

Code

iptables-restore < /etc/iptables/rules.v4

I've also tried this method below as an alternative than running iptables-save to export to the rules.v4 file:

Code

netfilter-persistent save

But no matter what I do, I don't see the new rules applied with the iptables -L command- it looks like this:

Code

Chain INPUT (policy ACCEPT)


target     prot opt source               destination






Chain FORWARD (policy DROP)


target     prot opt source               destination


DOCKER-USER  all  --  anywhere             anywhere


DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere


ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED


DOCKER     all  --  anywhere             anywhere


ACCEPT     all  --  anywhere             anywhere


ACCEPT     all  --  anywhere             anywhere






Chain OUTPUT (policy ACCEPT)


target     prot opt source               destination






Chain DOCKER (1 references)


target     prot opt source               destination


ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:http






Chain DOCKER-ISOLATION-STAGE-1 (1 references)


target     prot opt source               destination


DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere


RETURN     all  --  anywhere             anywhere






Chain DOCKER-ISOLATION-STAGE-2 (1 references)


target     prot opt source               destination


DROP       all  --  anywhere             anywhere


RETURN     all  --  anywhere             anywhere






Chain DOCKER-USER (1 references)


target     prot opt source               destination


RETURN     all  --  anywhere             anywhere

Alles anzeigen

Am I doing something completely dumb here?

JohnStiles · 15. April 2019

OMV will always overwrite all rules and give what it has in its database defined with gui.
First, you must either force OMV to operate with your additional rules or prevent OMV from manipulating rules.

iptables-save > rule.dump
Edit
iptables-restore < rule.dump
iptables -L -v
They are now active. But you have to keep them to be always constant.

This is grid panel for adding iptables rules. This can be useful if you need to secure access in your local network. At the moment is only possible to add rules to the OUTPUT and INPUT chains in the filter table. The configuration to load the rules at boot or network restart is located in this file /etc/network/if-pre-up.d/openmediavault-iptables. The mkconf openmediavault script uses a run-parts folder /usr/share/mkconf/iptables.d where is possbile to store custom scripts to add rules to the NAT and RAW table or the FORWARD chain,

PS.
FTP in omv gui has a down / up limit ....

linds1234 · 15. April 2019

Hi @JohnStiles

Thanks for your reply.

Zitat von JohnStiles

iptables-save > rule.dump
Edit
iptables-restore < rule.dump
iptables -L -v
They are now active. But you have to keep them to be always constant.

With what I'm attempting with the 2 lines I'm trying to add, I'm doing exactly the above. The rules are saving to the "rules.v4" file, they look fine in there, but when restored they don't show at all with iptables -L v. This is without rebooting so OMV isn't even getting a chance to over-write it.

Zitat von JohnStiles

PS.
FTP in omv gui has a down / up limit ....

Yep but it only works if the FTP user limits themselves to one concurrent download. As soon as they start a 2nd it doesn't work.

See Fixed upload rate for ALL users or the ProFTPd service itself for more info

Cheers,
Lindsay

subzero79 · 15. April 2019

Zitat von linds1234

d they don't show at all with iptables -L v

This is because that command lists the filter table, for POSTROUTING you need the nat table

iptables -vnL -t nat

linds1234 · 15. April 2019

Zitat von subzero79

This is because that command lists the filter table, for POSTROUTING you need the nat table

iptables -vnL -t nat

Arghh- can't believe it. Have been doing things mostly right but have been doing the above command wrong. Thanks!

Actually shows with:

iptables -vnL -t mangle

Jetzt mitmachen!