IPtables Rejects rules upon first boot

[M.e.M.O.]

Hello ,

I am trying solve a strange problem which ocurred after upgrading many packages including kernel and iptables.

This is a Fedora 10 PC acting as a small home-server I've been using over a year without problems. Recently, I've run a yum upgrade and after that, connections outside home wouldn't work. No changes in IPtables (firewall) rules have been done. But connection through local network is working.
Symptom is :
I've connected to my second PC at home and connected to the server. It works fine on local network. I restart network services (service network restart) and outside connections could be established.

I have disabled iptables and ip6tables and after reboots it works fine. But PC is running without firewall .

And my question is , how can I fix this? Where do I check for a start?

[beaker_]

Probebly the last thing you wanted to heat but it's likely the upgrade. i.e., I think you upgraded from F10 to 11 or 12. Best just to do a clean install and you can confirm this with a live cd.

[M.e.M.O.]

I did not upgrade the fedora version, its just the kernel and iptables (and so others) versions. And you're right , installation from scratch is the lat thing I want to hear. That PC is running for well over a year and has the exact setup I needed. Reinstalling and reconfiguring it will take days of work .
Any other suggestions?

[beaker_]

Well I undertand that contrack was replaced by nftrack (? I'm unsure of name ?). If you're up to a .3x kernel then that might be or related to your problem. But I'm only guessing.

Late edit; I found the tread discussing conntrack nf-conntrack (connection tracking). It's been that way for along time so I'm grapsing at straws. First guess was probebly the correct guess.

[stoat]

Quote:

Originally Posted by M.e.M.O.

IPtables Rejects rules upon first boot

Hello M.e.M.O.,

So are you using the firewall GUI applet to configure the firewall? Because when you use that and "Apply", it saves the configuration to /etc/sysconfig/iptables. That configuration gets loaded up at boot time. But if you're establishing the rules some other way such as a script, then you have to remember to save them so they will survive a reboot. Maybe that's what you need to do. Maybe another configuration somehow got saved to /etc/sysconfig/iptables, and you need to save yours again. If this is the way you want it...

Code:

su
iptables -L

...then save it with this...

Code:

su
service iptables save

Even if it's not the problem, it shouldn't harm anything if done carefully and correctly.

[M.e.M.O.]

Well , sort of bad news.

It is not related to iptables (in my guessing) . To determine the problem , I have disabled IPtables and IP6tables from services and using the pc for 2 days. At the moment, PC responds queries from local network and rejects queries from outside.
Ping, ftp , http , and none of other services served by that machine is accessible. And I don't know where to start checking. Nothing in logs that makes sense...

---------- Post added at 11:25 AM CST ---------- Previous post was at 10:39 AM CST ----------

Code:

Jan 26 08:50:46 XXXXX kernel: NET: Registered protocol family 10
Jan 26 08:50:46 XXXXX kernel: lo: Disabled Privacy Extensions
Jan 26 08:50:46 XXXXX kernel: e100: eth1: e100_watchdog: link up, 100Mbps, full-duplex
Jan 26 08:50:46 XXXXX kernel: ADDRCONF(NETDEV_UP): eth1: link is not ready
Jan 26 08:50:46 XXXXX kernel: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
Jan 26 08:50:46 XXXXX rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="1616" x-info="http://www.rsyslog.com"] (re)start
Jan 26 08:50:46 XXXXX rpc.statd[1652]: Version 1.1.4 Starting
Jan 26 08:50:46 XXXXX kernel: RPC: Registered udp transport module.
Jan 26 08:50:46 XXXXX kernel: RPC: Registered tcp transport module.
Jan 26 08:50:47 XXXXX kdump: No crashkernel parameter specified for running kernel
Jan 26 08:50:47 XXXXX kdump: failed to start up
Jan 26 08:50:48 XXXXX acpid: starting up
Jan 26 08:50:51 XXXXX acpid: client connected from 1900[68:68]
Jan 26 08:50:52 XXXXX named[1903]: starting BIND 9.5.2-RedHat-9.5.2-1.fc10 -u named -t /var/named/chroot
Jan 26 08:50:52 XXXXX named[1903]: adjusted limit on open files from 1024 to 1048576
Jan 26 08:50:52 XXXXX named[1903]: found 1 CPU, using 1 worker thread
Jan 26 08:50:52 XXXXX named[1903]: using up to 4096 sockets
Jan 26 08:50:52 XXXXX named[1903]: loading configuration from '/etc/named.conf'
Jan 26 08:50:52 XXXXX named[1903]: using default UDP/IPv4 port range: [1024, 65535]
Jan 26 08:50:52 XXXXX named[1903]: using default UDP/IPv6 port range: [1024, 65535]
Jan 26 08:50:52 XXXXX named[1903]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 26 08:50:52 XXXXX named[1903]: listening on IPv4 interface eth1, xxx.xxx.xxx.xxx#53
Jan 26 08:50:52 XXXXX named[1903]: listening on IPv6 interface lo, ::1#53
Jan 26 08:50:52 XXXXX named[1903]: automatic empty zone: 127.IN-ADDR.ARPA
Jan 26 08:50:52 XXXXX named[1903]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jan 26 08:50:52 XXXXX named[1903]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Jan 26 08:50:52 XXXXX named[1903]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Jan 26 08:50:52 XXXXX named[1903]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jan 26 08:50:52 XXXXX named[1903]: automatic empty zone: D.F.IP6.ARPA
Jan 26 08:50:52 XXXXX named[1903]: automatic empty zone: 8.E.F.IP6.ARPA
Jan 26 08:50:52 XXXXX named[1903]: automatic empty zone: 9.E.F.IP6.ARPA
Jan 26 08:50:52 XXXXX named[1903]: automatic empty zone: A.E.F.IP6.ARPA
Jan 26 08:50:52 XXXXX named[1903]: automatic empty zone: B.E.F.IP6.ARPA
Jan 26 08:50:52 XXXXX named[1903]: command channel listening on 127.0.0.1#953
Jan 26 08:50:52 XXXXX named[1903]: command channel listening on ::1#953
Jan 26 08:50:52 XXXXX named[1903]: the working directory is not writable
Jan 26 08:50:52 XXXXX named[1903]: zone 0.in-addr.arpa/IN: NS '0.in-addr.arpa' has no address records (A or AAAA)
Jan 26 08:50:52 XXXXX named[1903]: zone 0.in-addr.arpa/IN: loaded serial 0
Jan 26 08:50:52 XXXXX named[1903]: zone 1.0.0.127.in-addr.arpa/IN: NS '1.0.0.127.in-addr.arpa' has no address records (A or AAAA)
Jan 26 08:50:52 XXXXX named[1903]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Jan 26 08:50:52 XXXXX named[1903]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: NS '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa' has no address records (A or AAAA)
Jan 26 08:50:52 XXXXX named[1903]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Jan 26 08:50:52 XXXXX named[1903]: zone localhost.localdomain/IN: loaded serial 0
Jan 26 08:50:52 XXXXX named[1903]: zone localhost/IN: loaded serial 0
Jan 26 08:50:52 XXXXX named[1903]: running
Jan 26 08:50:54 XXXXX xinetd[1932]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.
Jan 26 08:50:54 XXXXX xinetd[1932]: Started working: 0 available services
Jan 26 08:50:58 XXXXX /usr/sbin/gpm[2060]: *** info [daemon/startup.c(136)]: 
Jan 26 08:50:58 XXXXX /usr/sbin/gpm[2060]: Started gpm successfully. Entered daemon mode.
Jan 26 08:51:04 XXXXX smbd[2101]: [2010/01/26 08:51:04,  0] printing/print_cups.c:cups_connect(78)
Jan 26 08:51:04 XXXXX smbd[2101]:   Unable to connect to CUPS server localhost:631 - Bağlantı reddedildi
Jan 26 08:51:04 XXXXX smbd[2110]: [2010/01/26 08:51:04,  0] printing/print_cups.c:cups_connect(78)
Jan 26 08:51:04 XXXXX smbd[2110]:   Unable to connect to CUPS server localhost:631 - Bağlantı reddedildi
Jan 26 08:51:13 XXXXX fail2ban.server : INFO   Changed logging target to SYSLOG for Fail2ban v0.8.4
Jan 26 08:51:13 XXXXX fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
Jan 26 08:51:13 XXXXX fail2ban.jail   : INFO   Jail 'ssh-iptables' uses Gamin
Jan 26 08:51:13 XXXXX fail2ban.filter : INFO   Added logfile = /var/log/secure
Jan 26 08:51:13 XXXXX fail2ban.filter : INFO   Set maxRetry = 5
Jan 26 08:51:13 XXXXX fail2ban.filter : INFO   Set findtime = 600
Jan 26 08:51:13 XXXXX fail2ban.actions: INFO   Set banTime = 3600
Jan 26 08:51:14 XXXXX fail2ban.jail   : INFO   Jail 'ssh-iptables' started
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: Found user 'avahi' (UID 497) and group 'avahi' (GID 494).
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: Successfully dropped root privileges.
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: avahi-daemon 0.6.22 starting up.
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: Successfully called chroot().
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: Successfully dropped remaining capabilities.
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: Loading service file /services/ssh.service.
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: Joining mDNS multicast group on interface eth1.IPv4 with address xxx.xxx.xxx.xxx.
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: New relevant interface eth1.IPv4 for mDNS.
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: Network interface enumeration completed.
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: Registering new address record for fe80::208:c7ff:fe8c:88e9 on eth1.*.
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: Registering new address record for xxx.xxx.xxx.xxx on eth1.IPv4.
Jan 26 08:51:14 XXXXX avahi-daemon[2282]: Registering HINFO record with values 'I686'/'LINUX'.
Jan 26 08:51:15 XXXXX named[1903]: network unreachable resolving 'mail.com/AAAA/IN': 2001:dc3::35#53
Jan 26 08:51:15 XXXXX named[1903]: network unreachable resolving 'pdns1.ultradns.net/A/IN': 2001:503:ba3e::2:30#53
Jan 26 08:51:15 XXXXX named[1903]: network unreachable resolving 'pdns1.ultradns.net/AAAA/IN': 2001:503:ba3e::2:30#53
Jan 26 08:51:15 XXXXX named[1903]: network unreachable resolving 'pdns3.ultradns.org/A/IN': 2001:500:b::1#53
Jan 26 08:51:15 XXXXX named[1903]: network unreachable resolving 'pdns3.ultradns.org/A/IN': 2001:500:e::1#53
Jan 26 08:51:15 XXXXX named[1903]: network unreachable resolving 'pdns3.ultradns.org/A/IN': 2001:500:f::1#53
Jan 26 08:51:15 XXXXX named[1903]: network unreachable resolving 'pdns3.ultradns.org/A/IN': 2001:500:48::1#53
Jan 26 08:51:15 XXXXX named[1903]: network unreachable resolving 'pdns3.ultradns.org/A/IN': 2001:500:40::1#53
Jan 26 08:51:15 XXXXX named[1903]: network unreachable resolving 'pdns5.ultradns.info/A/IN': 2001:500:41::1#53
Jan 26 08:51:15 XXXXX named[1903]: network unreachable resolving 'pdns5.ultradns.info/AAAA/IN': 2001:500:41::1#53
Jan 26 08:51:15 XXXXX avahi-daemon[2282]: Server startup complete. Host name is XXXXX.local. Local service cookie is 930705160.
Jan 26 08:51:16 XXXXX avahi-daemon[2282]: Service "XXXXX" (/services/ssh.service) successfully established.
Jan 26 08:51:23 XXXXX kernel: fuse init (API version 7.9)
Jan 26 08:51:26 XXXXX gnome-session[2737]: EggSMClient-WARNING: Desktop file '/home/XXXXX/.config/autostart/esc.desktop' has malformed Icon key 'esc.png'(should not include extension)
Jan 26 08:51:26 XXXXX gnome-session[2805]: EggSMClient-WARNING: Desktop file '/home/XXXXX/.config/autostart/esc.desktop' has malformed Icon key 'esc.png'(should not include extension)
Jan 26 08:51:34 XXXXX kernel: audit(1264488694.336:8160): auid=4294967295 ses=4294967295 op=remove rule key=(null) list=2 res=0
Jan 26 08:51:34 XXXXX kernel: audit(1264488694.336:8161): audit_enabled=0 old=1 auid=4294967295 ses=4294967295 res=1
Jan 26 08:52:02 XXXXX pulseaudio[3012]: main.c: Called SUID root and real-time and/or high-priority scheduling was requested in the configuration. However, we lack the necessary privileges:
Jan 26 08:52:02 XXXXX pulseaudio[3012]: main.c: We are not in group 'pulse-rt', PolicyKit refuse to grant us the requested privileges and we have no increase RLIMIT_NICE/RLIMIT_RTPRIO resource limits.
Jan 26 08:52:02 XXXXX pulseaudio[3012]: main.c: For enabling real-time/high-priority scheduling please acquire the appropr

Something happens before those bold lines that I can not figure out.

Well, as now I can see that PC returns "network unreachable" error when I try to ping anywhere. But weirdly, it is connected through local network. It can not answer outside queries, it can not connect anywhere, but I can connect to it via another PC on the same network. Can this get any weirder?

By the way , I saw something about a cron job saying System-autodeath. What is that?

Code:

Jan 26 12:59:49 XXXX autodeath: Default route disabled by autodeath cron job. See: man system-autodeath for more information.