The solution to the error “Another app is currently holding the xtables lock”

Recently noticed on one server with the billing system ABillS, that when the script /etc/ppp/ip-up is executed in bulk, an error occurs:

Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

Having looked at the script code, I found that there are two rules among the iptables rules that can slow down the work, namely, the search for ipoe interfaces by two commands:

IPTABLES="/sbin/iptables"
EXIST=`${IPTABLES} -t nat -L PREROUTING -v | grep "${IFNAME} ";  ${IPTABLES} -L -v | grep DROP | grep "${IFNAME} "`

To raise 3000 sessions, it took more than 30 minutes and some rules could not be added at all or deleted by the script.
By default, if the -L option is used, iptables resolves the IP addresses and tries to display DNS names instead of them, which takes a long time, and so that this does not happen, you need to add the -n option, and just in case I added the -w 20 switch, which will cause the new rules to be postponed until 20 seconds if iptables is already busy executing another command:

IPTABLES="/sbin/iptables"
IPTABLES_WAIT="-w 20"
EXIST=`${IPTABLES} $IPTABLES_WAIT -t nat -n -L PREROUTING -v | grep "${IFNAME} ";  ${IPTABLES} $IPTABLES_WAIT -n -L -v | grep DROP | grep "${IFNAME} "`

After that, the script with iptables rules began to work out instantly.
Since the old rules are not all fulfilled, I checked this by counting some by the team:

iptables -n -L -t nat -v | grep DNAT | wc -l

And I checked with the number of sessions, the rules were obviously smaller, so I had to clear all rules and restart the session so that the /etc/ppp/ip-up script worked correctly, this time at 3000 sessions it did its job in less than a minute.
Note that in the / etc / ppp / scripts, it’s better not to use iptables rules.

IPTables rules for the web server

To open the web server port in IPTables, execute the following command:

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

If HTTPS is used, then also:

iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

To open only a particular network, for example 192.168.0.0/24:

sudo iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT

You can also restrict access by the IP configuration of the web server itself, for example, as I described for Apache2 in this article – Access Control Apache2.

To set the connection limit on port 80:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 50/second -j ACCEPT

To remove a rule, we’ll specify the same command, replacing -A with -D, for example:

sudo iptables -D INPUT -p tcp -m tcp --dport 80 -j ACCEPT

To view the list of rules, use the command:

sudo iptables -nvL

See also:
Configuring IPTables

IPTables rules for SSH

To enable access to the SSH server in IPTables, you must add a rule:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

To open only a particular network, for example 192.168.0.0/24:

sudo iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 22 -j ACCEPT

You can also restrict access by the IP configuration of the SSH itself.

To remove a rule, we’ll specify the same command, replacing -A with -D, for example:

sudo iptables -D INPUT -p tcp --dport 22 -j ACCEPT

To view the list of rules, use the command:

sudo iptables -nvL

See also:
Installing and Configuring SSH
Configuring IPTables

IPTables rules for ntopng

First of all, let’s look at the current IPTables rules:

iptables -nvL

To open the ntopng port, add the rule:

sudo iptables -A INPUT -m tcp -p tcp --dport 3000 -j ACCEPT

To open the ntopng port for a specific network or IP only:

sudo iptables -A INPUT -m tcp -p tcp --dport 3000 -s 10.0.0.0/24 -j ACCEPT

See also my articles:
Configuring IPTables
Install and configure ntopng

IPTables rules for nprobe

First of all, let’s look at the current IPTables rules:

iptables -nvL

In order for nprobe to accept NetFlow data, open the port for it:

sudo iptables -A INPUT -p udp --dport 2055 -j ACCEPT

In order for nprobe to accept NetFlow data only from a particular network or IP:

sudo iptables -A INPUT -s 10.0.0.0/24 -p udp --dport 2055 -j ACCEPT

See also my articles:
Configuring IPTables
Install and configure nprobe

IPTables rules for MySQL

If iptables locks all incoming connections (INPUT DROP) and to add external access to MySQL, you need to add rules:

iptables -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

To access only a particular network, for example 10.0.0.0/24:

iptables -A INPUT -s 10.0.0.0/24 -p tcp -m tcp --dport 3306 -j ACCEPT

To remove a rule, we’ll specify the same command, replacing -A with -D, for example:

iptables -D INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

To view the list of rules, use the command:

sudo iptables -nvL

I note that in order to open external access, you also need to comment out the line “bind-address = 127.0.0.1” in the my.cnf configuration file.

If by default INPUT ACCEPT, we first specify which IPs are allowed access, and only the last rule is blocked by all the others:

/sbin/iptables -A INPUT -s 127.0.0.1 -p tcp --destination-port 3306 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.5 -p tcp --destination-port 3306 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

For example, using nmap, you can check locally and externally whether the access is filtered:

nmap -p 3306 localhost
nmap -p 3306 192.168.1.5

See also:
Configuring IPTables
Other my articles about MySQL