On Sun, 2005-01-02 at 20:35 -0800, Stephen Walton wrote: > fedora-list@xxxxxxxxxxxxxx wrote: > > >When I try to start iptables it simply fails with no errors and nothing > >in /var/log/messages. If I try to load it after running the (fwbuilder > >generated) script it starts and the stops immediately. > > > > > The /etc/rc.d/init.d/iptables script assumes that your firewall setup is > in /etc/sysconfig/iptables. If you are using Firewall Builder (I do and > highly recommend it for all but the simplest setups), its script is self > contained: it first resets iptables and then installs the settings you > specified in fwbuilder. If you type "/sbin/service iptables start" > after running your fwbuilder script, it will (probably) screw things up > as it will try to add the setup in /etc/sysconfig on top of the > fwbuilder settings. "/sbin/service iptables stop" is still useful even > if you're using fwbuilder, as it will in effect turn off the firewall by > resetting everything to its defaults. > One additional note here, and yes, I also use fwbuilder to configure my firewall. Stephen, you are correct as far as you go, but that approach means you MUST rerun the fwbuilder script everytime you reboot or even if you just stop iptables and want to restart it. To eliminate the problem with doing a service iptables start and having your fwbuilder configuration erased, a simple step that only needs to be done when the fwbuilder config is first installed or changed would be to do a 2 step process. 1. Install your fwbuilder script and verify it using iptables -L to see the settings. 2. Save those settings to /etc/sysconfig/iptables using "service iptables save". After step 2 is completed and verified, then you never need to run the fwbuilder script again unless it is changed. A simple reboot will automatically reload the last one saved when iptables is started. If you make a change to the fwbuilder script, then repeat the process above and you are good to go. The alternative to this approach is likely that you added into some script such as rc.local a command to run the fwbuilder script. The problem with doing that is that iptables is by default activated before the network is enabled and halted after the network is disabled. Running it from some userland script or from somewhere such as rc.local makes it get activated at a different time in the startup than default, and my approach allows the default scripts to control the timing of the firewall startup.
