🔄 Why Earlier Attempts to Persist the iptables Rule for Port 18080 on DietPi Failed
🧩 Current Setup Summary
-
System: DietPi (Debian-based, minimal)
-
Firewall:
iptableswith ats-inputchain (Tailscale or custom) -
Monero Daemon:
monerodrunning with--p2p-bind-ip=0.0.0.0 -
Problem: No incoming P2P connections
⚠️ Core Issue: The ts-input Chain Isn’t Available Early Enough
-
The custom iptables chain
ts-input(used by Tailscale or similar) is created late in the boot process or dynamically after many system services start. -
Any firewall rule referencing
ts-inputapplied before this chain exists will fail silently or produce errors like:iptables: No chain/target/match by that name. -
This timing issue is the root cause why most standard methods to persist rules don’t work on this setup.
📝 Review of Earlier Approaches and Why They Failed
1. 🧰 Using iptables-persistent
-
Saves rules to
/etc/iptables/rules.v4and restores them on boot automatically. -
Fails because the
ts-inputchain doesn’t exist yet when the restore process runs. -
Result: The rule referencing
ts-inputis ignored or dropped and does not persist after reboot.
2. ⚙️ Basic systemd Service Applying the Rule on Boot
-
A one-shot systemd service running after
network-online.targettried to insert the rule. -
Since
ts-inputchain creation happens after or asynchronously to the network target, the service runs too early. -
Rule insertion fails with “No chain/target/match by that name,” and no retry is attempted.
-
No rule is applied.
3. ⏰ Cron Job with @reboot Directive
-
Cron jobs run early after reboot, often before
ts-inputchain exists. -
A
sleepdelay helps but is unreliable due to race conditions in chain creation timing. -
Lack of checks and retries means the rule often doesn’t get applied.
-
Logs for troubleshooting may be missing or incomplete.
🔧 Why Our Final Workaround Works
-
The custom script polls repeatedly (up to 60 seconds), waiting for the
ts-inputchain to appear before applying any rule. -
It cleans up duplicate rules to keep firewall rules tidy on repeated runs.
-
The systemd service depends on both network and Tailscale daemons to start, improving timing.
-
Logs output are captured for troubleshooting and verification.
-
Together, these ensure the rule is only applied once the chain exists, solving the timing/race condition problem.
📌 Summary
| Approach | Outcome | Reason for Failure |
|---|---|---|
| iptables-persistent | Rule not applied after reboot | ts-input chain missing when rules restored |
| Basic systemd service | Rule insertion fails early | Runs before ts-input chain is created |
| Cron @reboot + sleep | Unreliable, race conditions persist | Chain not guaranteed to exist after sleep delay |
| Final script + systemd | Reliable rule application | Waits and retries until chain exists before insert |
No comments to display
No comments to display