iptables-restore failing on the COMMIT line
Linode
Linode Staff
When my Linode booted networking failed to start because the firewall script could not be run:
May 15 01:13:03 networking[3073]: Configuring network interfaces...iptables-restore: line 38 failed^M
May 15 01:13:03 networking[3073]: run-parts: /etc/network/if-pre-up.d/firewall exited with return code 1^M
May 15 01:13:03 networking[3073]: ifup: pre-up script failed.^M
May 15 01:13:03 networking[3073]: failed.^M
May 15 01:13:03 systemd[1]: Started LSB: Raise network interfaces..^M
May 15 01:13:03 systemd[1]: Starting ifup for eth0...^M
May 15 01:13:03 systemd[1]: Started ifup for eth0.^M
...
May 15 01:13:03 joey ifup[3105]: run-parts: /etc/network/if-pre-up.d/firewall exited with return code 1^M
I've tried manually adding the rules in my /etc/network/if-pre-up.d/firewall and those were successful. However, when manually running:
/sbin/iptables-restore < /etc/iptables.firewall.rules
The command fails on the last line, which is COMMIT. How can I troubleshoot this?
1 Reply
Hi,
To get networking up, you can first run the following commands via Lish
mv /etc/network/if-pre-up.d/firewall ~/
Then reboot. This will restore your networking so you can work via SSH rather than Lish to troubleshoot your firewall rules.
Since manually running the rules one by one succeeded this is likely not syntax related. However, Iptables is very particular about spacing and new lines, if there are trailing spaces after your rules or spaces in the new lines you will receive errors.
- Create a backup file.
- Open the file in Vim:
- Use :set list to show all lines and line ending points, which is annotated by a ‘$’.
- Check for extra space(s) at the line specified in the error.
- Check for extra lines at the end of your file and extra spaces throughout.
- Save with :wq and try an iptables-restore.
cp /etc/iptables.firewall.rules /etc/iptables.firewall.rules.bak
vim /etc/iptables.firewall.rules
Once you've corrected the new lines and confirmed that your iptables-restore works manually, you can move the ~/firewall back to the /etc/network/if-pre-up.d/ directory.
mv ~/firewall /etc/network/if-pre-up.d/