How to load Iptable rules on startup, what plugs are needed?

fishyrabbit · March 16, 2018, 4:23pm

I am using ubuntu core as a gateway for a piece of industrial machinery. I need to have nat rules and a openvpn client that are loaded when the system is restarted. I have made my own snap that has a service that loads the openvpn settings, iptable rules and the sysctl setting to allow packet forwarding.

The interfaces I have given the snap access to are…

  - network
  - network-bind
  - network-control
  - firewall-control

but I am still having trouble with permissions, particularly with the iptables rules and the sysctl change.

What interfaces am I missing? Or am going about this the wrong way and there is a far easier way to accomplish this?

jdstrand · March 19, 2018, 4:51pm

These should be sufficient for what you describe as your use case (indeed, the ufw snap plugs only firewall-control). Are the interfaces connected? Use snap interfaces <snapname> to check. If not, use snap connect <snapname>:<interface> to connect them.

If they are connected, are there any security policy denials in the logs? Running sudo journalctl --follow|grep audit then running your snap will show you denials. You might also be interested in the snappy-debug snap: sudo snap install snappy-debug ; sudo snappy-debug.security scanlog in one terminal then exercise your snap.

fishyrabbit · March 23, 2018, 10:37am

Thanks.

I had only previously used auto connect plugs… Okay, the snap now works via the cli.

The issue I am having is that I have the iptables settings as a oneshot systemd service. When you install a snap with a oneshot service it runs on install and fails. This appears to cancel the install. This does not give me the opportunity to connect the interface to the plug.

Can you connect the interface during the install?

jdstrand · March 26, 2018, 7:50pm

You could use an install hook to check if you can do an operation allowed by the firewall-control interface (eg, /sbin/iptables --version, but it could be anything you want), then if it fails, create a stamp file in $SNAP_COMMON. Then your oneshot service checks if the stamp file exists and if so, exits with a message to tell the user to run ‘sudo snap connect :firewall-control’.

The user cannot, but there is something called a ‘snap declaration’ that can be issued by the store to auto-connect it on install. There is a process for requesting that: Process for aliases, auto-connections and tracks