IPTABLES_SAVE_ON_STOP="no"
to
IPTABLES_SAVE_ON_STOP="yes"
now everytime you shutdown the system your current iptables will be saved and
then reloaded upon reboot.
Filippos
On 5/18/06, Hongwei Li <hongwei@xxxxxxxxx> wrote:
Hi,
Based on some suggestions, I edited file /etc/sysconfig/iptables as:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
#
:okay - [0:0]
#
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A
RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
#
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #
...
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
...
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Then, run service iptables start and everything work well -- I can remote
login ssh. I have run
# iptables-save
and also turn the service on:
# chkconfig iptables on
# chkconfig --list | grep iptable
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
However, if I reboot the system, the port 22, 80 etc. are not open, I cannot
remotely login ssh. I go to local terminal and run iptables -L, it only shows
something like "original iptables setting"(?) as:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- wumsdns1.wustl.edu anywhere tcp
flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- wumsdns1.wustl.edu anywhere
...
Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state
RELATED,ESTABLISHED
LSI all -- anywhere anywhere
...
Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Since port 22,80 etc. are not open, I can do nothing remotely (ssh, web,..).
I have to run "service iptables restart" manually, then it shows what I put in
the file /etc/sysconfig/iptables:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
...
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:pop3
...
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:imap
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
Then, everything is working normally. Although I can put "iptables restart"
in rc.local and it does work, but I am not comfortable with that.
Did I miss something? Where is the "original setting" of iptables stored?
Why isn't my /etc/sysconfig/iptables loaded after reboot? How to make it
loaded during booting without using rc.local?
Thanks!
Hongwei
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
