Remove iptables rules across boot

Hi,

on BSP 5.6. iptables is enabled.

After reboot iptables -L shows:
(no rules for INPUT)
(no rules for ACCEPT )
but rules for OUTPUT
DROP tcp – anywhere anywhere tcp dpt:http
DROP tcp – anywhere anywhere tcp dpt:https

content of /etc/iptables/iptables.rules:


*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]


COMMIT

Deleting the output rules manually works, but after a reboot they are there again which I do not want.

Disabling the pre-installed service (systemctl disable iptables.service) did not change anything.

Is there anything more pre-installed which I do not see?

How can I remove these rules?

Best,
M

Hi @mkock !

I just installed the Reference Minimal Image from BSP 5.7.0 using Toradex Easy Installer on an Apalis iMX6D 512MB V1.1B.

root@apalis-imx6-10692081:~# cat /etc/os-release
ID=tdx-xwayland
NAME="TDX Wayland with XWayland"
VERSION="5.7.0+build.20 (dunfell)"
VERSION_ID=5.7.0-build.20
PRETTY_NAME="TDX Wayland with XWayland 5.7.0+build.20 (dunfell)"
DISTRO_CODENAME="dunfell"
root@apalis-imx6-10692081:~# cat /etc/iptables/iptables.rules
root@apalis-imx6-10692081:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@apalis-imx6-10692081:~#

As you can see above, the iptables.rules file is empty.

By searching for iptables.rules file within the default layers from Toradex’s manifest, this is what I get:

[  5:41 ]  [ ~/yocto/oe-workdir/tdxref-bsp-5/layers ]  [ 130 ]
 $ cat -pp openembedded-core/meta/recipes-extended/iptables/iptables/iptables.service
[Unit]
Description=IPv4 Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target

[Service]
Type=oneshot
ExecStart=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
ExecReload=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

[  5:41 ]  [ ~/yocto/oe-workdir/tdxref-bsp-5/layers ]
 $ rg iptables.rules
openembedded-core/scripts/runqemu-ifdown
54:# cleanup the remaining iptables rules

openembedded-core/meta/recipes-extended/iptables/iptables_1.8.4.bb
15:           file://iptables.rules \
50:    install -m 0644 ${WORKDIR}/iptables.rules ${D}${IPTABLES_RULES_DIR}

openembedded-core/meta/recipes-extended/iptables/iptables/iptables.service
8:ExecStart=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
9:ExecReload=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules

[  5:41 ]  [ ~/yocto/oe-workdir/tdxref-bsp-5/layers ]
 $ cat -pp openembedded-core/meta/recipes-extended/iptables/iptables/iptables.rules

[  5:42 ]  [ ~/yocto/oe-workdir/tdxref-bsp-5/layers ]
 $ cat -pp openembedded-core/meta/recipes-extended/iptables/iptables/iptables.service
[Unit]
Description=IPv4 Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target

[Service]
Type=oneshot
ExecStart=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
ExecReload=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

The recipe openembedded-core/meta/recipes-extended/iptables/iptables_1.8.4.bb is only the iptables recipe responsible for the iptables.rules file (which is empty) that I see in my freshly installed image, as we can check using oe-pkgdata-util tool:

pokyuser@9443597fae04:/workdir/tdxref-bsp-5/build$ oe-pkgdata-util find-path /etc/iptables/iptables.rules
iptables: /etc/iptables/iptables.rules

Did you perform any modifications to your image or on your layers?

Best regards,

Hi,
thanks for your fast reply. I will check again if there is anything in our layers that could affect the iptables behaviour.

Hi @mkock ,

Happy New Year :tada:

Is there any updates on this issue ?

Best Regards
Kevin