The solution to the error “Another app is currently holding the xtables lock”

Recently noticed on one server with the billing system ABillS, that when the script /etc/ppp/ip-up is executed in bulk, an error occurs:

Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

Having looked at the script code, I found that there are two rules among the iptables rules that can slow down the work, namely, the search for ipoe interfaces by two commands:

EXIST=`${IPTABLES} -t nat -L PREROUTING -v | grep "${IFNAME} ";  ${IPTABLES} -L -v | grep DROP | grep "${IFNAME} "`

To raise 3000 sessions, it took more than 30 minutes and some rules could not be added at all or deleted by the script.
By default, if the -L option is used, iptables resolves the IP addresses and tries to display DNS names instead of them, which takes a long time, and so that this does not happen, you need to add the -n option, and just in case I added the -w 20 switch, which will cause the new rules to be postponed until 20 seconds if iptables is already busy executing another command:

EXIST=`${IPTABLES} $IPTABLES_WAIT -t nat -n -L PREROUTING -v | grep "${IFNAME} ";  ${IPTABLES} $IPTABLES_WAIT -n -L -v | grep DROP | grep "${IFNAME} "`

After that, the script with iptables rules began to work out instantly.
Since the old rules are not all fulfilled, I checked this by counting some by the team:

iptables -n -L -t nat -v | grep DNAT | wc -l

And I checked with the number of sessions, the rules were obviously smaller, so I had to clear all rules and restart the session so that the /etc/ppp/ip-up script worked correctly, this time at 3000 sessions it did its job in less than a minute.
Note that in the / etc / ppp / scripts, it’s better not to use iptables rules.

Installing the Netlist for ABillS

On the test, I install the Netlist module for ABillS in Ubuntu Server.

We import the tables into the database:

mysql -D abills --default-character-set=utf8 < /usr/abills/db/Netlist.sql

Open the billing configuration file:

nano /usr/abills/libexec/

Make sure that the module is activated:


Install nmap and Perl module for it:

sudo apt-get install nmap
sudo cpanm Nmap::Parser

Let’s see where nmap is located:

which nmap

Open the billing configuration file again:

sudo nano /usr/abills/libexec/

Let’s specify the path to nmap:


Add to sudoers:

echo 'www-data ALL=(ALL) NOPASSWD: /usr/bin/nmap' >> /etc/sudoers.d/abills_sudoers

After installation, the module will be available in the menu /Settings/Netlist

Configuring FreeRADIUS DHCP for ABillS

Suppose you installed FreeRADIUS 2 as written in this article – Installation and configuration of the ABillS billing system
Now copy the dhcp.conf file into the FreeRADIUS configuration:

sudo cp /usr/abills/misc/freeradius/v2/dhcp.conf /usr/local/freeradius/etc/raddb/sites-enabled/

Continue reading “Configuring FreeRADIUS DHCP for ABillS”

Adding vlan to Ubuntu for ABillS

Here is an example of adding a VLAN to Ubuntu Server for ABillS.

Switch to the root user:

sudo su

First of all, install the vlan package and load the 8021q module:

apt-get install vlan
modprobe 8021q

To autorun it after restarting the system, open the file /etc/modules, for example, in the text editor nano (Ctrl+X to exit, y/n to save or cancel changes):

nano /etc/modules

And add if it’s not there:


Create a script:

nano /etc/network/

Add content to it (in IFACE we specify the network interface for vlan, in VLANS – the VLAN list):


  /sbin/vconfig set_name_type VLAN_PLUS_VID_NO_PAD
  VLANS=`echo ${VLANS} | sed 'N;s/\n/ /' |sed 's/,/ /g'`
  for i in $VLANS; do
    if [[ $i =~ - ]]; then
      IFS='-' read -a start_stop <<< "$i"
      for cur_iface in `seq ${start_stop[0]} ${start_stop[1]}`;
        echo "${cur_iface}";
        /sbin/vconfig add ${IFACE} ${cur_iface}
        /sbin/ifconfig vlan${cur_iface} up
    echo "$i";
      /sbin/vconfig add ${IFACE} ${i}
      /sbin/ifconfig vlan${i} up

We make the script executable:

chmod +x /etc/network/

Run the script:


To autorun the script, open the configuration of the network interfaces:

nano /etc/network/interfaces

And add at the end of the line:

post-up /etc/network/

See also my articles:
Configuring VLANs in Ubuntu
Install and configure accel-ppp (IPoE) for ABillS

Ubuntu IP Masquerading (NAT)

For example, I will configure IPv4 masquerading (NAT) on Ubuntu Server.
First you need to enable packet forwarding in /etc/sysctl.conf so that traffic can walk between different network interfaces.
Let’s check the current status:

sysctl net.ipv4.conf.all.forwarding
cat /proc/sys/net/ipv4/ip_forward

If it is 0, then enable it with the following command:

sysctl -w net.ipv4.conf.all.forwarding=1

To keep this after the system restart, open the file /etc/sysctl.conf for example in the nano editor (Ctrl + X to exit, y / n to save or discard changes):

nano /etc/sysctl.conf

And add the line:


If necessary, you can clear existing NAT rules:

iptables -t nat --flush

Now it remains to add a rule to iptables, for example:

iptables -t nat -A POSTROUTING -s -j SNAT --to-source

Where, internal network, and the address through which you need to go to the Internet, similarly prescribed other internal networks.
Let me remind the mask for private networks:

If the IP address on the external network interface changes (dynamic), then instead of SNAT we specify MASQUERADE:

iptables -t nat -A POSTROUTING -s -j MASQUERADE

Do not forget to save the added iptables rules.
For example, you can open the network interface configuration file (its contents are loaded at system startup):

nano /etc/network/interfaces

And at the end add iptables rules, for example I will indicate the masquerading of this network at once to several IP addresses, and also with the indication of the network interface:

post-up /sbin/iptables -t nat -A POSTROUTING -s -o eth3 -j SNAT --to-source --persistent

Or add to the file:

nano /etc/rc.local
/sbin/iptables -t nat -A POSTROUTING -s -o eth3 -j SNAT --to-source --persistent

I recommend to specify the outgoing network interface, if you do not specify it, then local traffic will return to the network under NAT IP.
If there are several outgoing interfaces, let’s say the load is balanced through BGP, etc., then we indicate with two rules:

/sbin/iptables -t nat -A POSTROUTING -s -o eth3 -j SNAT --to-source --persistent
/sbin/iptables -t nat -A POSTROUTING -s -o eth4 -j SNAT --to-source --persistent

See also my articles:
Difference between MASQUERADE and SNAT
Configuring IPTables
How to fix the error “nf_conntrack: table full, dropping package”
Using Linux ISG

Installing ISC DHCP for ABillS

Here is an example of the installation of the ISC DHCP server for ABillS in Ubuntu Server.

Switch to the root user:

sudo su

Install package:

apt-get install isc-dhcp-server
ln -s /usr/abills/Abills/modules/Dhcphosts/ /usr/abills/libexec/


/usr/abills/libexec/ -d LEASES=/var/lib/dhcp/dhcpd.leases

Change owner of a file:

chown www-data /etc/dhcp/dhcpd.conf

Open the in the Editor:

nano /usr/abills/libexec/

Add options:

$conf{DHCPHOSTS_RECONFIGURE}='/usr/bin/sudo /etc/init.d/isc-dhcp-server restart';

Open in the Editor:

nano /etc/sudoers

Add the string making the ability to run a service system:

www-data   ALL = NOPASSWD: /etc/init.d/isc-dhcp-server

Go to the Abills Web interface, open the menu "settings"-"IP (DHCP)"-"Network IP (DHCP) Network", add the network if needed, then "Show, reconfigure the dhcp" and "Reconfigure".

See if the isc-dhcp-server command:

/etc/init.d/isc-dhcp-server status

Logs are written to the file/var/log/syslog

You can also configure the export of DHCP history to see it in the “Report” – “DHCP History” menu.
To do this, make a link:

ln -s /usr/abills/Abills/modules/Dhcphosts/ /usr/abills/libexec/

Separating DHCP logs into a separate file as I wrote in the article below and adding to the Startup script with the command:

tail -F /var/log/dhcpd.log | /usr/abills/libexec/

See also my articles:
Installing and configuring a dhcp server, isc-in Ubuntu
Packet capturing with tcpdump