Sometimes this script fails to update the iptables

Posted by AlJo on Server Fault See other posts from Server Fault or by AlJo
Published on 2014-08-24T23:33:28Z Indexed on 2014/08/25 4:22 UTC
Read the original article Hit count: 691

Filed under:
|

It does not happen often, but sometimes after running the below script, checking the iptables with service iptables status shows that they weren't updated and the script doesn't output any error.

The iptables is structured as look-up tree (long repeated sections snipped):

#!/bin/sh

iptables -t nat -F
iptables -t nat -X
iptables -F
iptables -X 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s 93.225.0.0/16 -j ACCEPT
iptables -A INPUT -s 15.102.0.0/16 -j ACCEPT
iptables -A INPUT -s 47.122.0.0/16 -j ACCEPT

iptables -N MY_CHAIN_L1-0
iptables -N MY_CHAIN_L1-1
iptables -N MY_CHAIN_L1-2
iptables -N MY_CHAIN_L1-3
iptables -N MY_CHAIN_L1-4
iptables -N MY_CHAIN_L1-5
iptables -N MY_CHAIN_L1-6
iptables -N MY_CHAIN_L1-7
iptables -N MY_CHAIN_L1-8
iptables -N MY_CHAIN_L1-9
iptables -N MY_CHAIN_L1-10
iptables -N MY_CHAIN_L1-11
iptables -N MY_CHAIN_L1-12
iptables -N MY_CHAIN_L1-13
iptables -N MY_CHAIN_L1-14
iptables -N MY_CHAIN_L1-15
iptables -N MY_CHAIN_L1-16
iptables -N MY_CHAIN_L1-17
iptables -N MY_CHAIN_L1-18
iptables -N MY_CHAIN_L1-19
iptables -N MY_CHAIN_L1-20
iptables -N MY_CHAIN_L1-21
iptables -N MY_CHAIN_L1-22
iptables -N MY_CHAIN_L1-23
iptables -N MY_CHAIN_L1-24
iptables -N MY_CHAIN_L1-25
iptables -N MY_CHAIN_L1-26
iptables -N MY_CHAIN_L1-27
iptables -N MY_CHAIN_L1-28
iptables -N MY_CHAIN_L1-29 
iptables -N MY_CHAIN_L1-30
iptables -N MY_CHAIN_L1-31
iptables -N MY_CHAIN_L1-32
iptables -N MY_CHAIN_L1-33
iptables -N MY_CHAIN_L1-34
iptables -N MY_CHAIN_L1-35
iptables -N MY_CHAIN_L1-36
iptables -N MY_CHAIN_L1-37

iptables -A INPUT -m iprange --src-range 1.54.96.0-5.133.179.255 -j MY_CHAIN_L1-0
iptables -A INPUT -m iprange --src-range 5.133.180.0-24.113.159.255 -j MY_CHAIN_L1-1
[snip]
iptables -A INPUT -m iprange --src-range 195.13.45.0-198.11.255.255 -j MY_CHAIN_L1-29 
iptables -A INPUT -m iprange --src-range 198.12.64.0-199.19.215.255 -j MY_CHAIN_L1-30
iptables -A INPUT -m iprange --src-range 199.21.96.0-200.31.3.255 -j MY_CHAIN_L1-31
iptables -A INPUT -m iprange --src-range 200.31.11.0-202.171.255.255 -j MY_CHAIN_L1-32
iptables -A INPUT -m iprange --src-range 203.130.134.192-206.212.255.255 -j MY_CHAIN_L1-33
iptables -A INPUT -m iprange --src-range 206.214.64.0-211.155.95.255 -j MY_CHAIN_L1-34
iptables -A INPUT -m iprange --src-range 212.19.128.0-216.176.191.255 -j MY_CHAIN_L1-35
iptables -A INPUT -m iprange --src-range 216.189.0.0-218.23.255.255 -j MY_CHAIN_L1-36
iptables -A INPUT -m iprange --src-range 218.30.96.0-223.255.231.255 -j MY_CHAIN_L1-37

iptables -A MY_CHAIN_L1-0 -s 1.54.96.0/20 -j DROP
iptables -A MY_CHAIN_L1-0 -s 1.208.0.0/12 -j DROP
iptables -A MY_CHAIN_L1-0 -s 1.224.0.0/11 -j DROP
[snip]
iptables -A MY_CHAIN_L1-0 -s 5.133.178.0/23 -j DROP
iptables -A MY_CHAIN_L1-0 -j ACCEPT


iptables -A MY_CHAIN_L1-1 -s 5.133.180.0/22 -j DROP
iptables -A MY_CHAIN_L1-1 -s 5.135.0.0/16 -j DROP
iptables -A MY_CHAIN_L1-1 -s 5.153.232.0/21 -j DROP
[snip]
iptables -A MY_CHAIN_L1-1 -s 24.113.128.0/19 -j DROP
iptables -A MY_CHAIN_L1-1 -j ACCEPT

.
.
.

iptables -A MY_CHAIN_L1-29 -s 195.13.45.0/24 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.20.224.0/19 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.31.216.0/26 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.58.245.0/24 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.60.164.0/23 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.60.240.0/22 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.62.10.0/23 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.110.30.0/23 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.154.0.0/16 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.190.13.0/24 -j DROP
iptables -A MY_CHAIN_L1-29 -s 195.211.152.0/22 -j DROP 
iptables -A MY_CHAIN_L1-1 -j ACCEPT

[snip more of same to end of script]

Can anyone see why this script would silently fail to update the iptables sometimes? Maybe it's not the script?

Thanks

© Server Fault or respective owner

Related posts about iptables

Related posts about spam-prevention