# Script not always called?

## The_Great_Sephiroth

I have a script in /etc/ppp/ip-up.d and another in /etc/ppp/ip-down.d to modify iptables rules for VPN connections. Below are the scripts.

This script sets up the firewall rule when a VPN connection is formed.

```

#!/bin/bash

# If the interface was specified, add the rule

if [ $# -eq 6 ] && [ ! -z "$1" ]; then

  iptables -A INPUT -i $1 -m state --state NEW -j ACCEPT

fi

```

Here is the one for clearing the rule once the interface goes away. This is the failing one.

```

#!/bin/bash

# If the interface was specified, delete the rule

if [ $# -eq 6 ] && [ ! -z "$1" ]; then

  iptables -D INPUT -i $1 -m state --state NEW -j ACCEPT

  logger "VPN DEBUG - Removed iptables rules for $1"

else

  logger "VPN DEBUG - Did not remove the iptables for $1"

  if [ $# -ne 6 ]; then

    logger "VPN DEBUG - Did not get six arguments"

  fi

fi

```

However, the script for clearing the rule is NOT always called for some reason. There is nothing logged in /var/log/messages meaning it is not even being called.

My iptables rules after two days of on/off usage. This is after a clean boot after being off all night.

```

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset

-A INPUT -p gre -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m multiport --dports 22,135,139,445,3389 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m multiport --dports 137,138,5060,7078,9078 -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -i ppp0 -m state --state NEW -j ACCEPT

-A INPUT -i ppp0 -m state --state NEW -j ACCEPT

-A INPUT -i ppp0 -m state --state NEW -j ACCEPT

-A INPUT -i ppp0 -m state --state NEW -j ACCEPT

```

I have no idea why it isn't being called at all. Can somebody help me figure this out?

----------

## Hu

What happens if you run it by hand with the correct arguments?  Why are you adding and removing the rules at all?  Is the interface name unpredictable?

----------

## The_Great_Sephiroth

It works flawlessly if I run it manually. The script to add the rules ALWAYS works. The reason that I do this is to allow ALL traffic on a PPP interface. I only use PPP for VPN connections to my office or a client location, so I am on a secure network. In other words, when a PPP connection comes up, I do not want it filtered by iptables. When it goes down I need to remove the rules. The interfaces show up as ppp<x> for my VPN connections.

----------

## Hu

I understand that you need special rules for PPP traffic.  I do not understand why you cannot leave those rules loaded indefinitely, and let them be ignored when there is no PPP interface.  If your VPN links are always named pppN, you can use the wildcard interface name ppp+ in iptables to match all VPN links.

----------

## The_Great_Sephiroth

I have had issues in the past where setting a rule for a non-existent interface would throw/log a warning or even not work. This may not be the case now, but here is another reason to solve this: It is not working. Something is broken and I am not sure what it is. All of the scripts in ip-up.d get called, so why do the ones in ip-down.d only get called when the system feels like it? This is an issue. While I may have a workaround now, others may need this functionality.

----------

## steveL

Are you sure your script is marked executable?

We can get to the scripting part after you've got it reliably invoked.

----------

## The_Great_Sephiroth

The script is marked 755, executable. Note that the script logs everything, so I only have to grep for the phrase "VPN DEBUG". It simply does not appear to always get called. I did take Hu's advice and modified my firewall as follows.

```

~ $ sudo iptables -S

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT ACCEPT

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset

-A INPUT -p gre -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m multiport --dports 22,135,139,445,3389 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m multiport --dports 137,138,5060,7078,9078 -j ACCEPT

-A INPUT -i ppp+ -j ACCEPT

-A INPUT -i lo -j ACCEPT

```

Not sure if that is correct, but so far so good. Right now I just want to know why the script is not being called when a VPN connection goes down. Rather, why it is not called every time, only half the time. Note that if the script is not called with six arguments it logs that too, so there is no reason that the script should not log SOMETHING, even if it is called incorrectly.

----------

## The_Great_Sephiroth

So nobody can explain why the script(s) in /etc/ppp/ip-down.d/ are not being called every time a PPP device is removed?

----------

## mv

The calling of the scripts is not directly related to the interface going up or down.

The scripts are actually called by pppd. So, for instance, if pppd dies unexpectedly or is killed, the scripts are not called. Similarly, if something else than pppd brings up or down the interface.

----------

## The_Great_Sephiroth

That explains it. Some clients use Watchguard routers which do PPTP VPN. For some reason a few of these will cause pppd to just disappear (terminate?) the first time you try connecting. Trying a second time and every time afterwards works. Thanks for the info!

----------

