Re: my iptables setting not loaded after reboot in fc5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Go to /etc/sysconfig/iptables-config and change

IPTABLES_SAVE_ON_STOP="no"

to

IPTABLES_SAVE_ON_STOP="yes"

now everytime you shutdown the system your current iptables will be saved and
then reloaded upon reboot.

Filippos


On 5/18/06, Hongwei Li <hongwei@xxxxxxxxx> wrote:
Hi,

Based on some suggestions, I edited file /etc/sysconfig/iptables as:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
#
:okay - [0:0]
#
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A
RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
#
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #
...
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
...
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT

Then, run service iptables start and everything work well -- I can remote
login ssh.  I have run
# iptables-save

and also turn the service on:

# chkconfig iptables on
# chkconfig --list | grep iptable
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

However, if I reboot the system, the port 22, 80 etc. are not open, I cannot
remotely login ssh. I go to local terminal and run iptables -L, it only shows
something like "original iptables setting"(?) as:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  wumsdns1.wustl.edu   anywhere            tcp
flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     udp  --  wumsdns1.wustl.edu   anywhere
...
Chain INBOUND (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
LSI        all  --  anywhere             anywhere
...
Chain OUTBOUND (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Since port 22,80 etc. are not open, I can do nothing remotely (ssh, web,..).
I have to run "service iptables restart" manually, then it shows what I put in
the file /etc/sysconfig/iptables:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere
...
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:pop3
...
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
dpt:imap
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited

Then, everything is working normally.  Although I can put "iptables restart"
in rc.local and it does work, but I am not comfortable with that.

Did I miss something?  Where is the "original setting" of iptables stored?
Why isn't my /etc/sysconfig/iptables loaded after reboot? How to make it
loaded during booting without using rc.local?

Thanks!

Hongwei



--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux