Here is everything that I did manually...
[root@mars ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
BLACKLIST tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain BLACKLIST (1 references)
target prot opt source destination
DROP all -- uo82.internetdsl.tpnet.pl anywhere
[root@mars ~]# cat /etc/cron.hourly/iptables.cron
#!/bin/sh
/sbin/iptables-save >/dev/null 2>&1
[root@mars ~]# /sbin/iptables-save
# Generated by iptables-save v1.3.5 on Sun Apr 23 09:24:51 2006
*filter
:INPUT ACCEPT [19025:2595521]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [691823:184550717]
:BLACKLIST - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
-A BLACKLIST -s 80.55.144.82 -j DROP
COMMIT
# Completed on Sun Apr 23 09:24:51 2006
[root@mars ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sun Apr 23 09:01:15 2006
*filter
:INPUT ACCEPT [18650:2543690]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [690115:184341112]
:BLACKLIST - [0:0]
[664430:180357913] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[3365:200808] -A INPUT -i lo -j ACCEPT
[6:360] -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
[3:180] -A BLACKLIST -s 80.55.144.82 -j DROP
COMMIT
# Completed on Sun Apr 23 09:01:15 2006
[root@mars ~]# reboot
Broadcast message from root (pts/0) (Sun Apr 23 09:25:40 2006):
The system is going down for reboot NOW!
[root@mars ~]#
Last login: Sun Apr 23 09:20:19 2006 from pluto.domain.com
[root@mars ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@mars ~]#
On 4/23/06, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote:
On Sat, 2006-04-22 at 13:41 -0400, Devon Harding wrote:
> I have a cron.hourly script set up to save my iptables chains. When I
> reboot, the chain is empty & /etc/sysconfig/iptables contains the
> default settings.
>
> Here is /etc/cron.hourly/iptables.cron:
>
> #!/bin/sh
> /etc/init.d/iptables save >/dev/null 2>&1
What about doing an "iptables-save" command, instead? (See near end of
message.)
I would have thought that what you're doing saves them to the same place
that iptables loads its tables at boot time, but maybe you're getting
some strange race condition. And related to that, and in regards to
another posting about "/etc/sysconfig/iptables-config", you might want
to look at the same parameters that are inside the
"/etc/sysconfig/iptables-config" file.
My /etc/sysconfig/iptables-config file is the default:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
I have custom rules stored (once) in the default place iptables reads
from at boot time (*), they seem to get read fine.
* Stored by using: iptables-save > /etc/sysconfig/iptables
Something else that springs to mind: If you've got SELinux enabled,
perhaps your CRON script needs appropriate SELinux contexts.
I am curious about why you need to keep saving the tables.
--
(Currently running FC4, occasionally trying FC5.)
Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list