From 8efab59dff7365f0e13a802fc52493a69a8bc06b Mon Sep 17 00:00:00 2001 From: Perlover Date: Fri, 19 May 2023 18:17:00 +0200 Subject: [PATCH 1/2] Adding waiting (-w) in iptables for wg-iptables service At one point I overloaded the server and Wireguard was not working on it. I began to understand and found out that the `wg-iptables` service did not start. The logs were: ``` May 19 17:50:27 server.domain iptables[714]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option? May 19 17:50:27 server.domain systemd[1]: wg-iptables.service: Main process exited, code=exited, status=4/NOPERMISSION May 19 17:50:27 server.domain systemd[1]: wg-iptables.service: Failed with result 'exit-code'. May 19 17:50:27 server.domain systemd[1]: Failed to start wg-iptables.service. ``` Then I started googling this problem [and found out](https://lists.zx2c4.com/pipermail/wireguard/2019-October/004592.html) that the problem is that your startup commands do not specify to wait in case of blocking. This patch fixes the problem. --- wireguard-install.sh | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index c178027..8d67f46 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -440,21 +440,21 @@ EOF Before=network.target [Service] Type=oneshot -ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip -ExecStart=$iptables_path -I INPUT -p udp --dport $port -j ACCEPT -ExecStart=$iptables_path -I FORWARD -s 10.7.0.0/24 -j ACCEPT -ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip -ExecStop=$iptables_path -D INPUT -p udp --dport $port -j ACCEPT -ExecStop=$iptables_path -D FORWARD -s 10.7.0.0/24 -j ACCEPT -ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/wg-iptables.service +ExecStart=$iptables_path -w -t nat -A POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip +ExecStart=$iptables_path -w -I INPUT -p udp --dport $port -j ACCEPT +ExecStart=$iptables_path -w -I FORWARD -s 10.7.0.0/24 -j ACCEPT +ExecStart=$iptables_path -w -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +ExecStop=$iptables_path -w -t nat -D POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to $ip +ExecStop=$iptables_path -w -D INPUT -p udp --dport $port -j ACCEPT +ExecStop=$iptables_path -w -D FORWARD -s 10.7.0.0/24 -j ACCEPT +ExecStop=$iptables_path -w -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/wg-iptables.service if [[ -n "$ip6" ]]; then echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6 -ExecStart=$ip6tables_path -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT -ExecStart=$ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -ExecStop=$ip6tables_path -t nat -D POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6 -ExecStop=$ip6tables_path -D FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT -ExecStop=$ip6tables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/wg-iptables.service +ExecStart=$ip6tables_path -w -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT +ExecStart=$ip6tables_path -w -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +ExecStop=$ip6tables_path -w -t nat -D POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6 +ExecStop=$ip6tables_path -w -D FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT +ExecStop=$ip6tables_path -w -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/wg-iptables.service fi echo "RemainAfterExit=yes [Install] From 2a0fffbed3373537dbcc9299d8d4fdd79b84a341 Mon Sep 17 00:00:00 2001 From: Perlover Date: Fri, 19 May 2023 18:19:14 +0200 Subject: [PATCH 2/2] Small fix for previous commit --- wireguard-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wireguard-install.sh b/wireguard-install.sh index 8d67f46..49bc810 100644 --- a/wireguard-install.sh +++ b/wireguard-install.sh @@ -449,7 +449,7 @@ ExecStop=$iptables_path -w -D INPUT -p udp --dport $port -j ACCEPT ExecStop=$iptables_path -w -D FORWARD -s 10.7.0.0/24 -j ACCEPT ExecStop=$iptables_path -w -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/wg-iptables.service if [[ -n "$ip6" ]]; then - echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6 + echo "ExecStart=$ip6tables_path -w -t nat -A POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6 ExecStart=$ip6tables_path -w -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT ExecStart=$ip6tables_path -w -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStop=$ip6tables_path -w -t nat -D POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to $ip6