{"id":10479,"date":"2025-04-28T16:46:40","date_gmt":"2025-04-28T20:46:40","guid":{"rendered":"https:\/\/www.both.org\/?p=10479"},"modified":"2025-05-09T06:29:53","modified_gmt":"2025-05-09T10:29:53","slug":"beware-fedora-updates-of-april-28-2024","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=10479","title":{"rendered":"Beware Fedora updates of April 28, 2025"},"content":{"rendered":"
\r\n
\r\n \r\n <\/i>\r\n <\/a>\r\n 1 <\/span>\r\n<\/div><\/div>\n

It breaks iptables with no warning<\/h2>\n\n\n\n

I’m rather angry right now but I promise to remain calm — at least in this post. <\/p>\n\n\n\n

I just finished installing Fedora updates today and a couple packages relating to IPTables were installed. Actually the iptables packages were removed and iptables-legacy packages were installed. In combination with the merge of \/sbin and \/usr\/sbin, and some other file location changes, all of my IPTables firewalls stopped working when I rebooted my firewall and server systems. <\/p>\n\n\n\n

The problems manifested as inability to communicate with the outside world — and presumably for the outside world to be unable to send email to Both.org or access the Both.org website. It only took me a couple minutes to determine that the firewall was not running because I got an error message indicating that the iptables-save and iptables commands weren’t present. <\/p>\n\n\n\n

WHAT!!??<\/strong><\/p>\n\n\n\n

The firewall is responsible for determining packet routing on the system I use as the firewall and router. Without the firewall rules, routing in or out doesn’t work. That’s one of the clues I used to determine the source of the problem. But that wasn’t the root cause. <\/p>\n\n\n\n

A quick look at the \/sbin directory showed me the following. This is what the iptables symlinks looked like after the morning updates. The links all contain the “-legacy” insertion so the systemd service unit couldn’t find the tools needed to start iptables. I did check \/etc\/sysconfig\/iptables to ensure it was still there and unchanged — it was OK. <\/p>\n\n\n\n

# cd \/sbin<\/strong>\n[root@yorktown sbin]# ll ipt*<\/strong>\nlrwxrwxrwx. 1 root root     21 Apr 16 11:24 iptables-apply -> ..\/bin\/iptables-apply\nlrwxrwxrwx. 1 root root     22 Apr 16 11:24 iptables-legacy -> ..\/bin\/iptables-legacy\nlrwxrwxrwx. 1 root root     30 Apr 16 11:24 iptables-legacy-restore -> ..\/bin\/iptables-legacy-restore\nlrwxrwxrwx. 1 root root     27 Apr 16 11:24 iptables-legacy-save -> ..\/bin\/iptables-legacy-save\nlrwxrwxrwx. 1 root root     19 Apr 16 11:22 iptables-nft -> ..\/bin\/iptables-nft\nlrwxrwxrwx. 1 root root     27 Apr 16 11:22 iptables-nft-restore -> ..\/bin\/iptables-nft-restore\nlrwxrwxrwx. 1 root root     24 Apr 16 11:22 iptables-nft-save -> ..\/bin\/iptables-nft-save\nlrwxrwxrwx. 1 root root     33 Apr 16 11:22 iptables-restore-translate -> ..\/bin\/iptables-restore-translate\nlrwxrwxrwx. 1 root root     25 Apr 16 11:22 iptables-translate -> ..\/bin\/iptables-translate\n-rwxr-xr-x. 1 root root 203360 Jul 17  2024 iptraf-ng\nlrwxrwxrwx. 1 root root     15 Apr 16 11:22 iptstate -> ..\/bin\/iptstate\nlrwxrwxrwx. 1 root root     15 Apr 16 11:24 iptunnel -> ..\/bin\/iptunnel<\/code><\/pre>\n\n\n\n
Compare the above to this look at the previous set of links in \/sbin. There’s quite a bit of difference.<\/p>\n\n\n\n
# ll ipt*\nlrwxrwxrwx. 1 root root    26 Apr  9 08:06 iptables -> \/etc\/alternatives\/iptables\nlrwxrwxrwx. 1 root root    17 Jan 16 19:00 iptables-nft -> xtables-nft-multi\nlrwxrwxrwx. 1 root root    17 Jan 16 19:00 iptables-nft-restore -> xtables-nft-multi\nlrwxrwxrwx. 1 root root    17 Jan 16 19:00 iptables-nft-save -> xtables-nft-multi\nlrwxrwxrwx. 1 root root    34 Apr  9 08:06 iptables-restore -> \/etc\/alternatives\/iptables-restore\nlrwxrwxrwx. 1 root root    17 Jan 16 19:00 iptables-restore-translate -> xtables-nft-multi\nlrwxrwxrwx. 1 root root    31 Apr  9 08:06 iptables-save -> \/etc\/alternatives\/iptables-save\nlrwxrwxrwx. 1 root root    17 Jan 16 19:00 iptables-translate -> xtables-nft-multi\n-rwxr-xr-x. 1 root root 34248 Jan 16 19:00 iptc\n-rwxr-xr-x. 1 root root 87456 Mar 17 20:00 iptstate\n-rwxr-xr-x. 1 root root 24264 Jan 16 19:00 iptunnel<\/code><\/pre>\n\n\n\n
The fix is rather easy. I just used the following commands to create the links I needed.<\/p>\n\n\n\n
# cd \/sbin\n# ln -s iptables-legacy iptables\n# ln -s iptables-legacy-restore iptables-restore\n# ln -s iptables-legacy-save iptables-save\n# systemctl restart iptables.service<\/code><\/pre>\n\n\n\n
The new links are now available for the SysAdmin (me) and systemd to use. I also restarted fail2ban to ensure that all the blocking entries were added to the firewall. If you’re not using fail2ban you don’t need to do that.<\/p>\n\n\n\n
\n# ll ipt*\nlrwxrwxrwx. 1 root root     15 Apr 28 15:06 iptables -> iptables-legacy<\/strong>\nlrwxrwxrwx. 1 root root     21 Apr 17 15:53 iptables-apply -> ..\/bin\/iptables-apply\nlrwxrwxrwx. 1 root root     22 Apr 17 15:53 iptables-legacy -> ..\/bin\/iptables-legacy\nlrwxrwxrwx. 1 root root     30 Apr 17 15:53 iptables-legacy-restore -> ..\/bin\/iptables-legacy-restore\nlrwxrwxrwx. 1 root root     27 Apr 17 15:53 iptables-legacy-save -> ..\/bin\/iptables-legacy-save\nlrwxrwxrwx. 1 root root     19 Apr 17 15:50 iptables-nft -> ..\/bin\/iptables-nft\nlrwxrwxrwx. 1 root root     27 Apr 17 15:50 iptables-nft-restore -> ..\/bin\/iptables-nft-restore\nlrwxrwxrwx. 1 root root     24 Apr 17 15:50 iptables-nft-save -> ..\/bin\/iptables-nft-save\nlrwxrwxrwx. 1 root root     23 Apr 28 15:06 iptables-restore -> iptables-legacy-restore<\/strong>\nlrwxrwxrwx. 1 root root     33 Apr 17 15:50 iptables-restore-translate -> ..\/bin\/iptables-restore-translate\nlrwxrwxrwx. 1 root root     20 Apr 28 15:06 iptables-save -> iptables-legacy-save<\/strong>\nlrwxrwxrwx. 1 root root     25 Apr 17 15:50 iptables-translate -> ..\/bin\/iptables-translate\n-rwxr-xr-x. 1 root root 203360 Jul 17  2024 iptraf-ng\nlrwxrwxrwx. 1 root root     15 Apr 17 15:50 iptstate -> ..\/bin\/iptstate\nlrwxrwxrwx. 1 root root     15 Apr 17 15:51 iptunnel -> ..\/bin\/iptunnel<\/code><\/pre>\n\n\n\n
A bit of testing verified that all was once again working as it should. <\/p>\n\n\n\n
A short rant<\/h2>\n\n\n\n
I am furious that this occurred. There is absolutely no reason for it. Fortunately, my systems weren’t open without a firewall for very long, but it takes only a few microseconds to infect a computer that’s unprotected.<\/p>\n\n\n\n
I much prefer IPTables for my use case and it’s easier and faster to work with than NFTables or firewalld, neither of which I like in the least. It’s not that they don’t work, but both are obscure and firewalld is way too complex — for my use cases.<\/p>\n\n\n\n
Although IPTables is no longer the default firewall front-end, I never expected that it was going to be disabled by incompetence (the nicest word I can think of at the moment). Clearly it’s intended to continue as a legacy tool but apparently someone failed to perform simple tests to see if it would still work after the updates were installed. Changes like this should be transparent in their application but loud in the announcement of their coming and that they’ve been implemented. <\/p>\n\n\n\n
And they should damn well be thoroughly tested.<\/p>\n","protected":false},"excerpt":{"rendered":"
1 It breaks iptables with no warning I’m rather angry right now but I promise to remain calm<\/p>\n","protected":false},"author":2,"featured_media":2706,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[756,71,5,75,682],"tags":[261],"class_list":["post-10479","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-fail","category-fedora","category-linux","category-security","category-updates","tag-security"],"modified_by":"David Both","_links":{"self":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/10479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10479"}],"version-history":[{"count":10,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/10479\/revisions"}],"predecessor-version":[{"id":10615,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/10479\/revisions\/10615"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/media\/2706"}],"wp:attachment":[{"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}