Warning! Debian iptables v old kernels


#1

Short story:
Booting an old kernel (i.e. the one currently marked as ‘stable’ - the 2.6.32) on a debian 7 wheezy vm
results in iptables rules not being loaded.

Long story:
I noticed I was getting attempts on my pop/imap ports on my vm, and then realised they should have been iptables firewalled off; iptables -L -v -n showed no rules were loaded.
I tried manually reloading them with iptables-restore and got the error ‘Can’t set policy ‘ACCEPT’ on ‘INPUT’ line 10: Bad built-in chain name’
(Frankly I think the stable kernel needs to be updated to something more modern!)

Fix:
Booted into one of the newer kernels (3.2.x currently)

I’m not sure what triggered this; my current set of theories:

  • Maybe it’s the first boot after I’d done an iptables-store from wheezy?
  • Maybe this has been broken ever since upgrade to wheezy?
  • Maybe the reboot that bytemark did for me a few days ago put me back to a stable kernel?

#2

Thanks to Patrick for helping investigate this more; it looks like this is generally more about kernel versions than the user land; so if you save an iptables state on one kernel (particularly a newer one) don’t expect it to load on another (particularly an older one).

Dave