> Go to /etc/sysconfig/iptables-config and change > > IPTABLES_SAVE_ON_STOP="no" > > to > > IPTABLES_SAVE_ON_STOP="yes" > > now everytime you shutdown the system your current iptables will be saved > and > then reloaded upon reboot. > > Filippos > > > On 5/18/06, Hongwei Li <hongwei@xxxxxxxxx> wrote: >> >> Hi, >> >> Based on some suggestions, I edited file /etc/sysconfig/iptables as: >> >> # Firewall configuration written by system-config-securitylevel >> # Manual customization of this file is not recommended. >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> :RH-Firewall-1-INPUT - [0:0] >> -A INPUT -j RH-Firewall-1-INPUT >> -A FORWARD -j RH-Firewall-1-INPUT >> # >> :okay - [0:0] >> # >> -A RH-Firewall-1-INPUT -i lo -j ACCEPT >> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT >> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT >> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT >> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A >> RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT >> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT >> # >> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # >> ... >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j >> ACCEPT >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j >> ACCEPT >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j >> ACCEPT >> ... >> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT >> >> Then, run service iptables start and everything work well -- I can remote >> login ssh. I have run >> # iptables-save >> >> and also turn the service on: >> >> # chkconfig iptables on >> # chkconfig --list | grep iptable >> iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off >> >> However, if I reboot the system, the port 22, 80 etc. are not open, I >> cannot >> remotely login ssh. I go to local terminal and run iptables -L, it only >> shows >> something like "original iptables setting"(?) as: >> >> Chain INPUT (policy DROP) >> target prot opt source destination >> ACCEPT tcp -- wumsdns1.wustl.edu anywhere tcp >> flags:!FIN,SYN,RST,ACK/SYN >> ACCEPT udp -- wumsdns1.wustl.edu anywhere >> ... >> Chain INBOUND (1 references) >> target prot opt source destination >> ACCEPT tcp -- anywhere anywhere state >> RELATED,ESTABLISHED >> ACCEPT udp -- anywhere anywhere state >> RELATED,ESTABLISHED >> LSI all -- anywhere anywhere >> ... >> Chain OUTBOUND (1 references) >> target prot opt source destination >> ACCEPT icmp -- anywhere anywhere >> ACCEPT tcp -- anywhere anywhere state >> RELATED,ESTABLISHED >> ACCEPT udp -- anywhere anywhere state >> RELATED,ESTABLISHED >> ACCEPT all -- anywhere anywhere >> >> Since port 22,80 etc. are not open, I can do nothing remotely (ssh, >> web,..). >> I have to run "service iptables restart" manually, then it shows what I >> put in >> the file /etc/sysconfig/iptables: >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> RH-Firewall-1-INPUT all -- anywhere anywhere >> ... >> ACCEPT tcp -- anywhere anywhere state NEW tcp >> dpt:ssh >> ACCEPT tcp -- anywhere anywhere state NEW tcp >> dpt:smtp >> ACCEPT tcp -- anywhere anywhere state NEW tcp >> dpt:http >> ACCEPT tcp -- anywhere anywhere state NEW tcp >> dpt:pop3 >> ... >> ACCEPT tcp -- anywhere anywhere state NEW tcp >> dpt:imap >> REJECT all -- anywhere anywhere reject-with >> icmp-host-prohibited >> >> Then, everything is working normally. Although I can put "iptables >> restart" >> in rc.local and it does work, but I am not comfortable with that. >> >> Did I miss something? Where is the "original setting" of iptables stored? >> Why isn't my /etc/sysconfig/iptables loaded after reboot? How to make it >> loaded during booting without using rc.local? >> >> Thanks! >> >> Hongwei >> >> No, it does not change the situation. My iptables settings are still not loaded upon booting. Hongwei
