Re: my iptables setting not loaded after reboot in fc5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You should also change

IPTABLES_SAVE_ON_RESTART="no"

to

IPTABLES_SAVE_ON_RESTART="yes"

as well in /etc/sysconfig/iptables-config. Then make all the desired changes you
want in iptables rules and save them (just in case) by

iptables-save > /etc/sysconfig/iptables

Then your rules should survive system reboots.

Filippos


On 5/18/06, Hongwei Li < hongwei@xxxxxxxxx> wrote:
> Go to /etc/sysconfig/iptables-config and change
>
> IPTABLES_SAVE_ON_STOP="no"
>
> to
>
> IPTABLES_SAVE_ON_STOP="yes"
>
> now everytime you shutdown the system your current iptables will be saved
> and
> then reloaded upon reboot.
>
> Filippos
>
>
> On 5/18/06, Hongwei Li <hongwei@xxxxxxxxx> wrote:
>>
>> Hi,
>>
>> Based on some suggestions, I edited file /etc/sysconfig/iptables as:
>>
>> # Firewall configuration written by system-config-securitylevel
>> # Manual customization of this file is not recommended.
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :RH-Firewall-1-INPUT - [0:0]
>> -A INPUT -j RH-Firewall-1-INPUT
>> -A FORWARD -j RH-Firewall-1-INPUT
>> #
>> :okay - [0:0]
>> #
>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A
>> RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>> #
>> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #
>> ...
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
>> ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
>> ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
>> ACCEPT
>> ...
>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
>>
>> Then, run service iptables start and everything work well -- I can remote
>> login ssh.  I have run
>> # iptables-save
>>
>> and also turn the service on:
>>
>> # chkconfig iptables on
>> # chkconfig --list | grep iptable
>> iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
>>
>> However, if I reboot the system, the port 22, 80 etc. are not open, I
>> cannot
>> remotely login ssh. I go to local terminal and run iptables -L, it only
>> shows
>> something like "original iptables setting"(?) as:
>>
>> Chain INPUT (policy DROP)
>> target     prot opt source               destination
>> ACCEPT     tcp  --  wumsdns1.wustl.edu   anywhere            tcp
>> flags:!FIN,SYN,RST,ACK/SYN
>> ACCEPT     udp  --  wumsdns1.wustl.edu   anywhere
>> ...
>> Chain INBOUND (1 references)
>> target     prot opt source               destination
>> ACCEPT     tcp  --  anywhere             anywhere            state
>> RELATED,ESTABLISHED
>> ACCEPT     udp  --  anywhere             anywhere            state
>> RELATED,ESTABLISHED
>> LSI        all  --  anywhere             anywhere
>> ...
>> Chain OUTBOUND (1 references)
>> target     prot opt source               destination
>> ACCEPT     icmp --  anywhere             anywhere
>> ACCEPT     tcp  --  anywhere             anywhere            state
>> RELATED,ESTABLISHED
>> ACCEPT     udp  --  anywhere             anywhere            state
>> RELATED,ESTABLISHED
>> ACCEPT     all  --  anywhere             anywhere
>>
>> Since port 22,80 etc. are not open, I can do nothing remotely (ssh,
>> web,..).
>> I have to run "service iptables restart" manually, then it shows what I
>> put in
>> the file /etc/sysconfig/iptables:
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
>> ...
>> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>> dpt:ssh
>> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>> dpt:smtp
>> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>> dpt:http
>> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>> dpt:pop3
>> ...
>> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
>> dpt:imap
>> REJECT     all  --  anywhere             anywhere            reject-with
>> icmp-host-prohibited
>>
>> Then, everything is working normally.  Although I can put "iptables
>> restart"
>> in rc.local and it does work, but I am not comfortable with that.
>>
>> Did I miss something?  Where is the "original setting" of iptables stored?
>> Why isn't my /etc/sysconfig/iptables loaded after reboot? How to make it
>> loaded during booting without using rc.local?
>>
>> Thanks!
>>
>> Hongwei
>>
>>

No, it does not change the situation.  My iptables settings are still not
loaded upon booting.

Hongwei

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux