Securedrop 2.7.0 - restrict-direct-access: Copy IPv4 iptables rules failed

Support
1

Hello,

unfortunately I can’t install the new Securedrop Release 2.7.0 on two new Ubuntu 20.04.6 hosts.
During the installation I see the following error message:

Task [restrict-direct-access] : Copy IPv4 iptables rules
fatal: [app]: FAILED! msg: “Destination directory /etc/iptables does not exist”
fatal: [mon]: FAILED! msg: “Destination directory /etc/iptables does not exist”

Please support me to fix this issue
Please also note that I have set the option “Enable SSH over TOR” to NO.

Best regards,
1Raphael1

3

Hello 1Raphael1,

I’m sorry to hear you’re running into this issue! I’m going to give some general suggestions here, but if you’d like to discuss your specific implementation details a bit more deeply (using an encrypted platform), I’d recommend registering for an account through our official support portal.

For more details about our support system, please see here.

The error you’re seeing indicates that the /etc/iptables directory isn’t present on either of the servers. That directory should be on the servers with the standard Ubuntu Server configuration. You’ll want to make sure you have the following items in place:

  • You have the full version of Ubuntu Server (not a minimal installation) with a network connection established
  • You are running on physical hardware (not virtualized)
  • If you run: apt policy iptables-persistent from the app and mon servers, you see “Installed” in the output
    • If the package is not installed, you can install it by running sudo apt install iptables-persistent, which should correct this issue. That said, that package should be installed by default, so if it’s not installed it may be worth looking into any modifications or changes that have been made, and possibly re-install Ubuntu Server just to undo any such modifications (it’s important that everything be a “stock” configuration, with only the SecureDrop ansible playbooks making modifications).

If that doesn’t correct the issue, please reach out to us via the support portal, and we’ll assist further.

Thank you,
Nathan Dyer
Newsroom Support Engineer
Freedom of the Press Foundation