Bug: cannot remove allowed input port from firewall

[mjsjml]

Is this urgent?

No

Host OS

Ubuntu 22.04

CPU arch

x86_64

VPN service provider

AirVPN

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-06-17T22:37:52.988Z (commit 93ed87d)

What's the problem 🤔

When gluetun fails a healthcheck and gets a new vpn connection, it can't resume port forwarding. The desired ports will be closed on the new connection. Things used to work fine with an older version of gluetun (don't know which one).

ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 63799 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp --dport 63799 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1

Share your logs (at least 10 lines)

2024-06-24T00:21:55.555343458Z 2024-06-23T17:21:55-07:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.10 and family v4
2024-06-24T00:21:55.555374628Z 2024-06-23T17:21:55-07:00 INFO [routing] adding route for 0.0.0.0/0
2024-06-24T00:21:55.555422948Z 2024-06-23T17:21:55-07:00 INFO [firewall] setting allowed subnets...
2024-06-24T00:21:55.558813825Z 2024-06-23T17:21:55-07:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.10 and family v4
2024-06-24T00:21:55.558863994Z 2024-06-23T17:21:55-07:00 INFO [routing] adding route for 192.168.2.0/24
2024-06-24T00:21:55.558878991Z 2024-06-23T17:21:55-07:00 INFO [routing] adding route for 192.168.3.0/24
2024-06-24T00:21:55.559692529Z 2024-06-23T17:21:55-07:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-06-24T00:21:55.560152708Z 2024-06-23T17:21:55-07:00 INFO [http server] http server listening on [::]:8010
2024-06-24T00:21:55.560488916Z 2024-06-23T17:21:55-07:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-06-24T00:21:55.562187406Z 2024-06-23T17:21:55-07:00 INFO [firewall] allowing VPN connection...
2024-06-24T00:21:55.580117711Z 2024-06-23T17:21:55-07:00 INFO [wireguard] Using userspace implementation since Kernel support does not exist
2024-06-24T00:21:55.741081357Z 2024-06-23T17:21:55-07:00 INFO [wireguard] Connecting to 146.70.76.34:1637
2024-06-24T00:21:55.741603225Z 2024-06-23T17:21:55-07:00 INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-06-24T00:21:55.741613525Z 2024-06-23T17:21:55-07:00 INFO [firewall] setting allowed input port 63799 through interface tun0...
2024-06-24T00:21:55.752390228Z 2024-06-23T17:21:55-07:00 INFO [firewall] setting allowed input port 15554 through interface tun0...
2024-06-24T00:21:55.755147894Z 2024-06-23T17:21:55-07:00 INFO [dns] downloading DNS over TLS cryptographic files
2024-06-24T00:22:05.757002689Z 2024-06-23T17:22:05-07:00 WARN [dns] cannot update files: Get "https://www.internic.net/domain/named.root": dial tcp: lookup www.internic.net on 1.1.1.1:53: read udp 10.128.195.141:45807->1.1.1.1:53: i/o timeout
2024-06-24T00:22:05.757016849Z 2024-06-23T17:22:05-07:00 INFO [dns] attempting restart in 10s
2024-06-24T00:22:10.743253391Z 2024-06-23T17:22:10-07:00 INFO [healthcheck] program has been unhealthy for 6s: restarting VPN
2024-06-24T00:22:10.743308381Z 2024-06-23T17:22:10-07:00 INFO [healthcheck] 👉 See https://github.com/qdm12/gluetun-wiki/blob/main/faq/healthcheck.md
2024-06-24T00:22:10.743323672Z 2024-06-23T17:22:10-07:00 INFO [healthcheck] DO NOT OPEN AN ISSUE UNLESS YOU READ AND TRIED EACH POSSIBLE SOLUTION
2024-06-24T00:22:10.743337244Z 2024-06-23T17:22:10-07:00 INFO [vpn] stopping
2024-06-24T00:22:10.743349214Z 2024-06-23T17:22:10-07:00 INFO [firewall] removing allowed port 63799...
2024-06-24T00:22:10.759074279Z 2024-06-23T17:22:10-07:00 ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 63799 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp --dport 63799 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1
2024-06-24T00:22:10.759122005Z 2024-06-23T17:22:10-07:00 INFO [firewall] removing allowed port 15554...
2024-06-24T00:22:10.765512870Z 2024-06-23T17:22:10-07:00 ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 15554 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1

Share your configuration

gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp
      - 8388:8388/tcp
      - 8388:8388/udp
      - 7474:7474
      - "9001:9000"
      - 6885:6881/udp
      - 58080:8080
      - 9005:9005
      - 8005:8005
      - 9091:9091
    volumes:
      - /home/ms/docker/gluetun:/gluetun
    environment:
      - HTTP_CONTROL_SERVER_ADDRESS=:8010 
      - FIREWALL_VPN_INPUT_PORTS=63799,15554
      - VPN_SERVICE_PROVIDER=airvpn
      - VPN_TYPE=wireguard
      - WIREGUARD_PUBLIC_KEY=
      - WIREGUARD_PRIVATE_KEY=
      - WIREGUARD_ADDRESSES=
      - WIREGUARD_PRESHARED_KEY=
      - SERVER_NAMES=
      - FIREWALL_OUTBOUND_SUBNETS=192.168.2.0/24,192.168.3.0/24
    restart: unless-stopped

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[qdm12]

Hi there, thanks for reporting this. It's likely due to a bug in Alpine 3.19's nf_tables usage - I created a bug report for the netfilter project. This should be fixed with 06c9bc5 which changes the preference from using the ip6tables-legacy instead of the ip6tables which now defaults to using nf_tables. This was done similarly for iptables in ce642a6 2 months ago, but I forgot to change it for the ipv6 version as well!

Can you please try pulling the latest image and see if it works?

I'm also planning on upgrading to Alpine 3.20 which appears to resolve this problem, so I will switch back the iptables preference to using nf_tables again.

[mjsjml]

I get the same error with the latest version: version latest built on 2024-07-09T14:47:46.048Z (commit 0501743).

2024-07-09T11:54:20-07:00 INFO [firewall] removing allowed port 15554...
2024-07-09T11:54:20-07:00 ERROR [vpn] cannot remove allowed input port from firewall: removing allowed port 15554 on interface tun0: command failed: "ip6tables --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT": ip6tables: Bad rule (does a matching rule exist in that chain?).: exit status 1
2024-07-09T11:54:20-07:00 ERROR [vpn] getting public IP address information: context canceled

Reverting to 3.37.0, c826707, works well for me though.

[qdm12]

Uh, that's problematic.. Is it not working on v3.38.0??? That would be strange given the changes not touching iptables/ipv6 😕

Assuming this problem arises only in the latest image, what do you get when running docker exec gluetun ip6tables -nvL and docker exec gluetun ip6tables-legacy -nvL against a running Gluetun container? It should contain a rule (i..e for port 15554) in the INPUT chain similar to:

    0     0 ACCEPT     6    --  tun0   *       ::/0                 ::/0                 tcp dpt:15554

If it does show the rule, what happens if you run:

docker exec gluetun ip6tables --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT

(And replace ip6tables by ip6tables-legacy if needed, as well as the port number 15554 according to your setup).

[mjsjml]

on :v3.37:

$ docker exec gluetun ip6tables -nvL
# and
$ docker exec gluetun ip6tables-legacy -nvL
# both give:
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.9 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

on latest 3.38:

$ docker exec gluetun ip6tables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  lo     *       ::/0                 ::/0                
    0     0 ACCEPT     0    --  *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     6    --  tun0   *       ::/0                 ::/0                 tcp dpt:63799
    0     0 ACCEPT     17   --  tun0   *       ::/0                 ::/0                 udp dpt:63799
    0     0 ACCEPT     6    --  tun0   *       ::/0                 ::/0                 tcp dpt:15554
    0     0 ACCEPT     17   --  tun0   *       ::/0                 ::/0                 udp dpt:15554

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      lo      ::/0                 ::/0                
    0     0 ACCEPT     0    --  *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      eth0    ::/0                 ff02::/104          
    0     0 ACCEPT     0    --  *      tun0    ::/0                 ::/0

$ docker exec gluetun ip6tables-legacy -nvL
modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.8.10 (legacy): can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

$ docker exec gluetun ip6tables --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT
ip6tables: Bad rule (does a matching rule exist in that chain?).

[cspark-development]

Hiya, I'm experiencing a similar issue after updating gluetun to the latest 2024-07-09T14:47:46.048Z (commit 0501743) that may be related.

iptables-legacy --delete INPUT -i tun0 -p tcp --dport 3000 -j ACCEPT": iptables: Bad rule (does a matching rule exist in that chain?).: exit status 1

So I executed a shell within the container and ran iptables-legacy -S, this is the corresponding rule;
-A INPUT -i tun0 -p tcp -m tcp --dport 3000 -j ACCEPT

Running iptables-legacy --delete INPUT -i tun0 -p tcp --dport 3000 -j ACCEPT I face the previous error:
iptables: Bad rule (does a matching rule exist in that chain?).

I ran iptables-legacy --delete INPUT -i tun0 -p tcp -m tcp --dport 3000 -j ACCEPT instead which removed the rule.

I'm not sure where the -m match comes from but it appears necessary to remove the rule, this may be the issue that has been reported here. I'd recommend you run ip6tables -S for yourself to confirm if this is the case.

I hope this info helps, if this appears to be a different issue I'll raise it as appropriate. If this is the same issue, gluetun I assume will either need to ensure that -m match rule is not added or it is accounted for in deletion.

Thanks,

[mjsjml]

On version b3ceece (one that doesn't work right for me), when I run "iptables-legacy --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT", the rule gets deleted fine. So your issue is probably different from mine.

[qdm12]

@cspark-development I pushed 73832d8 to add -m tcp/udp for accepting/removing the input port, let me know if it helps.

@mjsjml But does it work at all on a previous released images :v3.37 or :v3.38?

Also when you say

on latest 3.38:

Note latest and v3.38 are NOT the same. qmcgaw/gluetun:latest points to the master branch in the repository (with Alpine 3.19), whereas qmcgaw/gluetun:v3.38 points to the release tag v3.38.0 (with Alpine 3.18). Please confirm this is on the latest image and NOT v3.38.

On version b3ceece (one that doesn't work right for me), when I run "iptables-legacy --delete INPUT -i tun0 -p tcp --dport 15554 -j ACCEPT", the rule gets deleted fine.

So the problematic version seems to be v3.38 right??? Also you mention iptables-legacy which is not related to ipv6, not too sure why?

Please clarify the versions which work and the versions which don't, since I'm kind of majorly confused on that 😄 Thanks!

[cspark-development]

@qdm12 Thanks for getting back to me, I'll let you know whether the hotfix change fixes my issue or not. Issue only arises on healthcheck failures so may take a while to confirm.