Hi, Based on some suggestions, I edited file /etc/sysconfig/iptables as: # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT # :okay - [0:0] # -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT # -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ... -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Then, run service iptables start and everything work well -- I can remote login ssh. I have run # iptables-save and also turn the service on: # chkconfig iptables on # chkconfig --list | grep iptable iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off However, if I reboot the system, the port 22, 80 etc. are not open, I cannot remotely login ssh. I go to local terminal and run iptables -L, it only shows something like "original iptables setting"(?) as: Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- wumsdns1.wustl.edu anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ACCEPT udp -- wumsdns1.wustl.edu anywhere ... Chain INBOUND (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED LSI all -- anywhere anywhere ... Chain OUTBOUND (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Since port 22,80 etc. are not open, I can do nothing remotely (ssh, web,..). I have to run "service iptables restart" manually, then it shows what I put in the file /etc/sysconfig/iptables: Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere ... ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3 ... ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Then, everything is working normally. Although I can put "iptables restart" in rc.local and it does work, but I am not comfortable with that. Did I miss something? Where is the "original setting" of iptables stored? Why isn't my /etc/sysconfig/iptables loaded after reboot? How to make it loaded during booting without using rc.local? Thanks! Hongwei
