New Member
Posts: 39
Registered: ‎02-10-2019
Solutions: 1
Accepted Solution

Making permanent changes to iptables on EdgeOS

I am making the following change on one of the iptables:

 

sudo iptables -t mangle -A VYATTA_FW_IN_HOOK -i pppoes+ -j balance

But this change tends to go away periodically and of course on reboot. How can I make this change permanent?


Accepted Solutions
Veteran Member
Posts: 4,135
Registered: ‎05-15-2014
Kudos: 1561
Solutions: 283

Re: Making permanent changes to iptables on EdgeOS

See second link in my signature, the post describes the filesystem folders where you need to place your scripts to be executed after reboot.

 

What do you mean that the info disappears periodically? Other than reboot?

View solution in original post


All Replies
Veteran Member
Posts: 4,135
Registered: ‎05-15-2014
Kudos: 1561
Solutions: 283

Re: Making permanent changes to iptables on EdgeOS

See second link in my signature, the post describes the filesystem folders where you need to place your scripts to be executed after reboot.

 

What do you mean that the info disappears periodically? Other than reboot?

New Member
Posts: 39
Registered: ‎02-10-2019
Solutions: 1

Re: Making permanent changes to iptables on EdgeOS

I am not sure about the periodic thing but the change did go away after some hours even without a reboot or power failure.

Veteran Member
Posts: 8,069
Registered: ‎03-24-2016
Kudos: 2117
Solutions: 927

Re: Making permanent changes to iptables on EdgeOS

Did you make any CLI or GUI changes?  They might overwrite your custom rules.

 

Or maybe iptables rules are re-initiated on interfaces (like pppoe , dhcp) going up/down

New Member
Posts: 39
Registered: ‎02-10-2019
Solutions: 1

Re: Making permanent changes to iptables on EdgeOS

Maybe yes. Any idea of how to mitigate this? Thanks!

Veteran Member
Posts: 8,069
Registered: ‎03-24-2016
Kudos: 2117
Solutions: 927

Re: Making permanent changes to iptables on EdgeOS

1st of all, is  what you're trying to accomplish not possible using normal firewall (modify) rules?

New Member
Posts: 39
Registered: ‎02-10-2019
Solutions: 1

Re: Making permanent changes to iptables on EdgeOS

[ Edited ]

The above change is the solution to this problem: https://community.ubnt.com/t5/EdgeRouter/PPPoE-Clients-and-load-balancing/td-p/828776

 

This is almost 5 years old thread. I am not sure if this has been implemented to the normal firewall rules yet.

Veteran Member
Posts: 6,343
Registered: ‎01-04-2017
Kudos: 917
Solutions: 322

Re: Making permanent changes to iptables on EdgeOS

I don't believe I have seen anything like that integrated yet. it would be easier to provide you a solution if you knew exactly when that rule was being removed. can you do some tests
New Member
Posts: 39
Registered: ‎02-10-2019
Solutions: 1

Re: Making permanent changes to iptables on EdgeOS

Sure, what would you like me to do?

Veteran Member
Posts: 4,135
Registered: ‎05-15-2014
Kudos: 1561
Solutions: 283

Re: Making permanent changes to iptables on EdgeOS


@heychirag wrote:

The above change is the solution to this problem: https://community.ubnt.com/t5/EdgeRouter/PPPoE-Clients-and-load-balancing/td-p/828776

 

This is almost 5 years old thread. I am not sure if this has been implemented to the normal firewall rules yet.


Paging @UBNT-Fenng who is currently working on LB enhancements for upcoming release. Hoping this could be easy to implement as EdgeOS command since @UBNT-stig provided the iptables command.

Ubiquiti Employee
Posts: 313
Registered: ‎08-11-2016
Kudos: 65
Solutions: 6

Re: Making permanent changes to iptables on EdgeOS

Thanks for your suggetions. 

We will try to add this command for pppoes interfaces.

This could be added to CLI like this:  

"set interfaces pppoe firewall in modify WAN_POLICY"

Or perhaps "set service pppoe-server firewall in modify WAN_POLICY"

New Member
Posts: 9
Registered: ‎02-09-2019
Kudos: 2

Re: Making permanent changes to iptables on EdgeOS

In the meantime you can try adding the rule to the default PREROUTING chain instead of the internal one created by EdgeOS.

 

sudo iptables -t mangle -A PREROUTING -i pppoes+ -j balance

This should have a better chance of being left alone by any internal configuration changes.

To also have it survive a reboot you can create a script in /config/scripts/post-config.d/

Ubiquiti Employee
Posts: 313
Registered: ‎08-11-2016
Kudos: 65
Solutions: 6

Re: Making permanent changes to iptables on EdgeOS

@heychirag Which kind of EdgeRouter are you using? I will send you a test image.

New Member
Posts: 39
Registered: ‎02-10-2019
Solutions: 1

Re: Making permanent changes to iptables on EdgeOS

ER-X. Will I easily be able to downgrade if something(s) don't work properly?

 

Thanks!

Veteran Member
Posts: 4,135
Registered: ‎05-15-2014
Kudos: 1561
Solutions: 283

Re: Making permanent changes to iptables on EdgeOS


@heychirag wrote:

ER-X. Will I easily be able to downgrade if something(s) don't work properly?

 

Thanks!


Yes, see 2nd link in my signature that explains dual images (firmwares) on the router and how to switch between them.

Ubiquiti Employee
Posts: 313
Registered: ‎08-11-2016
Kudos: 65
Solutions: 6

Re: Making permanent changes to iptables on EdgeOS

[ Edited ]

The image with these new features:

1)  New Load-balance

2) Add 'set interface pppoes pppoe0 firewall modify' command

3) Add PBR for IPV6. 

set protocols static table xxx route6 ...
set protocols static table xxx interface-route6 ...
set firewall ipv6-modify xxx rule yyy modify table ...
show ipv6 route table ...
show firewall ipv6-modify ..

 

Updated: 2019-02-14

1) Remove debug print.

2) Add image for ER-8-XG.

 

Updated: 2019-02-19

1) Fixed: Muliti Groups delete group fail.

 

The test Image links:

( Because it is for testing. So we move it to Beta form. )

(If you want to get the image, must apply as Beta Form user.) 

https://community.ubnt.com/t5/EdgeRouter-Beta/Load-Balance-test-image/m-p/2684641#M24732

New Member
Posts: 39
Registered: ‎02-10-2019
Solutions: 1

Re: Making permanent changes to iptables on EdgeOS

for now, the only config I have applied is

 

set interface pppoes pppoes0 firewall in modify balance

I don't think I am using ipv6. Do I still need to add PBR for it?

Ubiquiti Employee
Posts: 313
Registered: ‎08-11-2016
Kudos: 65
Solutions: 6

Re: Making permanent changes to iptables on EdgeOS

[ Edited ]

@heychirag No. You don't need configure PBR ipv6.

The PBR ipv6 is for other users.

ER is powerful. It has many features. Just configure what is necessary.

New Member
Posts: 39
Registered: ‎02-10-2019
Solutions: 1

Re: Making permanent changes to iptables on EdgeOS

set interface pppoes pppoes0 firewall in modify balance

This didn't work with the new test firmware. I restarted the router and wasn't able to see the intended effects. I had to use 'sudo iptables -t mangle -A PREROUTING -i pppoes+ -j balance' again to make it work.

Ubiquiti Employee
Posts: 313
Registered: ‎08-11-2016
Kudos: 65
Solutions: 6

Re: Making permanent changes to iptables on EdgeOS

Did you commit?