Be advised that top posting, and using HTML, is a sure-fire way to avoid getting help on a mailing list. There may well be someone out there who might have the answer to all your woes, but dumps any messages posted that way. On Sun, 2006-04-23 at 09:34 -0400, Devon Harding wrote: > The reason I want the chains saved, is because I'm uning sshdblackd > (http://www.sshblack.com) to block failed ssh attempts on my box Considering this snippet from the website (below), I'm not sure that saving the tables is a necessary step, nor perhaps even a good one. "The blacklist is simply a list of source IP addresses that are prohibited from making ssh connections to the protected host. Once a predetermined amount of time has passed, the offending IP address is removed from the blacklist." > Here is everything that I did manually... > > [root@mars ~]# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > BLACKLIST tcp -- anywhere anywhere tcp dpt:ssh > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain BLACKLIST (1 references) > target prot opt source destination > DROP all -- uo82.internetdsl.tpnet.pl anywhere If you're trying to keep a tight rein on SSH, I'd expect you to only allow it through a range of predetermined IPs, even if you are taking this approach of automatically blackbanning some IPs. > [root@mars ~]# cat /etc/cron.hourly/iptables.cron > #!/bin/sh > /sbin/iptables-save >/dev/null 2>&1 As you should see from your next sample output, iptables-save dumps to standard out. You want to direct its output to where iptables normally keeps its rules, otherwise you'll be "saving" nothing. If FC5 still uses the same place as FC4, I think you'll want to use the iptables-save command more like how I mentioned it near the bottom of my prior posting. e.g. #!/bin/sh /sbin/iptables-save > /etc/sysconfig/iptables Though, I think you could avoid having to do that just by having iptables save its configuration at shutdown. At next bootup, it'll pick up from there, without needing a regular save. > [root@mars ~]# /sbin/iptables-save > # Generated by iptables-save v1.3.5 on Sun Apr 23 09:24:51 2006 > *filter > :INPUT ACCEPT [19025:2595521] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [691823:184550717] > :BLACKLIST - [0:0] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST > -A BLACKLIST -s 80.55.144.82 -j DROP > COMMIT > # Completed on Sun Apr 23 09:24:51 2006 *Showing* you what it *would* save. You have to direct its output to a file to really save it. > [root@mars ~]# cat /etc/sysconfig/iptables > # Generated by iptables-save v1.3.5 on Sun Apr 23 09:01:15 2006 > *filter > :INPUT ACCEPT [18650:2543690] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [690115:184341112] > :BLACKLIST - [0:0] > [664430:180357913] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > [3365:200808] -A INPUT -i lo -j ACCEPT > [6:360] -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST > [3:180] -A BLACKLIST -s 80.55.144.82 -j DROP > COMMIT > # Completed on Sun Apr 23 09:01:15 2006 At this point you should notice that the saved configuration is not the same as your example above it. The saved configuration is something that was saved beforehand. But here (below) you're striking another problem: > [root@mars ~]# reboot > > Last login: Sun Apr 23 09:20:19 2006 from pluto.domain.com > [root@mars ~]# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination Are you running more than one firewall program? Some can fight with each other. It might be worth trying turning that IPTABLES_SAVE_ON_RESTART="yes" back to "no", in case there's fault where a "start" gets treated the same as a "restart", and saves empty tables. -- (Currently running FC4, occasionally trying FC5.) Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
