Iptables blank after reboot

Hi, I’ve setup a RPi3 with Kali Linux and Zerotier. And have followed the instructions with the link below for setting up NAT routed access to my internal LAN network:

[https://zerotier.atlassian.net/wiki/spaces/SD/pages/224395274/Route+between+ZeroTier+and+Physical+Networks](Route between ZeroTier and Physical Networks)

Everything worked until I rebooted the RPi. Checked and found that the iptables are empty on reboot:

sudo iptables -t nat -L
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

target     prot opt source               destination

however, the iptables rules have been successfully written to /etc/iptables/rules.v4

 sudo cat /etc/iptables/rules.v4
# Generated by iptables-save v1.8.8 on Tue Oct  4 15:14:34 2022
:INPUT ACCEPT [261:28944]
:OUTPUT ACCEPT [274:32838]
-A FORWARD -i eth0 -o zt6ovuu2zz -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i zt6ovuu2zz -o eth0 -j ACCEPT
# Completed on Tue Oct  4 15:14:34 2022
# Generated by iptables-save v1.8.8 on Tue Oct  4 15:14:34 2022
:INPUT ACCEPT [17:998]
:OUTPUT ACCEPT [35:4962]
# Completed on Tue Oct  4 15:14:34 2022

I’ve tried to add the rules and save them again, but still empty iptables on reboot -

PHY_IFACE=eth0; ZT_IFACE=zt6ovuu2zz\
sudo iptables -t nat -A POSTROUTING -o $PHY_IFACE -j MASQUERADE
sudo iptables -A FORWARD -i $PHY_IFACE -o $ZT_IFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i $ZT_IFACE -o $PHY_IFACE -j ACCEPT
sudo -i
bash -c iptables-save > /etc/iptables/rules.v4
dpkg-reconfigure iptables-persistent

Clueless on how to reload the iptables on reboot. Any guidance will be much appreciated.

If I issue the below command, the tables are restored and everything works fine:

sudo -i
iptables-restore < /etc/iptables/rules.v4

Thanks for posting. That’s annoying. Is something else also trying to manage your rules? It’s hard to find good information about iptables-persistent. Everything just says “install it”

I did not install anything else on the RPi. it just the base OS “kali-linux-2022.3-raspberry-pi-arm64.img.xz”.

When I issue the below command, it just says already installed.

sudo apt install iptables-persistent

I tried one more thing, gave the below command, rebooted, and now I do not have access to the RPi (it’s remote). I’ll have physical access to the device in about 8-10 hrs, will update on power cycle.

sudo systemctl enable netfilter-persistent.service

I now have physical access to the device. I was not able to access it remotely because zerotier is not working on it now, giving join command gives error:

 sudo zerotier-cli join xxxxyyy
zerotier-cli: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

I think I issued apt autoremove before reboot, guess something got broken.

Edit 1: Trying apt update & upgrade for fix the above issue. but the iptables are now getting restored after reboot. The below command fixed it:

sudo systemctl enable netfilter-persistent.service

Edit: 2: Not able to get past the “libssl.so.1.1” error. Did a update/upgrade, apt remove zerotier & reinstall using dpkg. Any pointers pls ?

Edit: 3 Finally was able to got this working by installing below package, then uninstall & re-install Zerotier.

sudo apt install -y libssl1.1
1 Like

One last question, can I replicate the same setup using an Android phone instead of a RPi ?

I tried going with termux + nethunter, on a non-rooted android phone. Unable to install Zerotier, gives the below error:

setpriv: setresgid failed: Operation not permitted

Could not find any successful documented process as well. I’m guessing maybe I need to root the phone for this to work ?

Good question. We haven’t tried that. There may be some info on the internet from other sources. We only support the app store version on Android.

Android App has a very basic functionality of joining and routing traffic via Zerotier. I was hoping if I could just send the phone to a remote network for support, and NAT into the network where the phone is connected. Using a phone with battery+good processor+RAM would be so much better than using a RPi.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.