iptables gives error when 'up' is called in openvpn config

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Iam7of9
OpenVpn Newbie
Posts: 2
Joined: Mon Jul 13, 2015 3:46 pm

iptables gives error when 'up' is called in openvpn config

Postby Iam7of9 » Mon Feb 27, 2017 4:48 pm

Hi. This is driving me mad. I have a basic installation of ubuntu from mini.iso. Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-64-generic x86_64) get installed , just the core. Then I install openvpn.
When I connect after setting and changing the config file everything works fine, openvpn connects and I am happy. Now I run a script to setup some iptables. If I run this by hand everything works fine BUT if if execute this in the config with the up command the logs all shows erros.

Here is my conf file:
client
dev tun
proto udp
remote us-california.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass userpass.data
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ
log-append /var/log/openvpn/piavpn.log
script-security 2
up-delay
up /etc/openvpn/secure.run

and the secure.run file is:
#!/bin/bash
export TERM=${TERM:-dumb}
exec 1> >(logger -s -t $(basename $0)) 2>&1

IPT="/sbin/iptables"
echo "Clearing IP Tables..."
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t raw -F
$IPT -t raw -X
echo "Creating new IP Rules..."
$IPT -N LOGGING
exit 0


The logs are:
Mon Feb 27 11:24:48 2017 /sbin/ip addr del dev tun0 local 10.51.10.6 peer 10.51.10.5
Mon Feb 27 11:24:48 2017 SIGTERM[hard,] received, process exiting
Mon Feb 27 11:25:05 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016
Mon Feb 27 11:25:05 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Mon Feb 27 11:25:07 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Feb 27 11:25:07 2017 UDPv4 link local: [undef]
Mon Feb 27 11:25:07 2017 UDPv4 link remote: [AF_INET]198.8.80.133:1198
Mon Feb 27 11:25:07 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Feb 27 11:25:09 2017 [a33198cd61297aca65263483345cd5fa] Peer Connection Initiated with [AF_INET]198.8.80.133:1198
Mon Feb 27 11:25:11 2017 TUN/TAP device tun0 opened
Mon Feb 27 11:25:11 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Feb 27 11:25:11 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Feb 27 11:25:11 2017 /sbin/ip addr add dev tun0 local 10.2.10.6 peer 10.2.10.5
Mon Feb 27 11:25:11 2017 /etc/openvpn/secure.run tun0 1500 1558 10.2.10.6 10.2.10.5 init

secure.run: Clearing IP Tables...
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `mangle': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.
secure.run: Creating new IP Rules...
secure.run: modprobe: ERROR: could not insert 'ip_tables': Operation not permitted
secure.run: iptables v1.6.0: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
secure.run: Perhaps iptables or your kernel needs to be upgraded.


I get the impression that iptables are loaded at a later stage the when the 'up' comman dis being run?
Please help!

The script on its own works flawless.
To confirm, # whereis iptables
iptables: /sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz

Please help!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2088
Joined: Fri Jun 03, 2016 1:17 pm

Re: iptables gives error when 'up' is called in openvpn config

Postby TinCanTech » Mon Feb 27, 2017 6:32 pm

Iam7of9 wrote:If I run this by hand everything works fine
How do you run it ?

harros
OpenVpn Newbie
Posts: 1
Joined: Fri Mar 03, 2017 1:21 am

Re: iptables gives error when 'up' is called in openvpn config

Postby harros » Fri Mar 03, 2017 3:52 am

Iam7of9, I am observing the same problem, you are not alone :) "service openvpn restart" does not help the issue until I have iptables command run at least once (as root) in the console after OS boot. You are correct, I found no problem by lauching openvpn manually (as root).

It is due to the module ip_table not being loaded during OS boot. This is how I solve the problem:
1. Run the following in console:
sudo modprobe ip_tables
2. Add the following in /etc/modules:
ip_tables
3. Reboot.


Return to “Routing and Firewall Scripts”

Who is online

Users browsing this forum: No registered users and 1 guest