IPTABLES_SAVE_ON_RESTART="no"
to
IPTABLES_SAVE_ON_RESTART="yes"
as well in /etc/sysconfig/iptables-config. Then make all the desired changes you
want in iptables rules and save them (just in case) by
iptables-save > /etc/sysconfig/iptables
Then your rules should survive system reboots.
Filippos
On 5/18/06, Hongwei Li <
hongwei@xxxxxxxxx> wrote:
> Go to /etc/sysconfig/iptables-config and change
>
> IPTABLES_SAVE_ON_STOP="no"
>
> to
>
> IPTABLES_SAVE_ON_STOP="yes"
>
> now everytime you shutdown the system your current iptables will be saved
> and
> then reloaded upon reboot.
>
> Filippos
>
>
> On 5/18/06, Hongwei Li <hongwei@xxxxxxxxx> wrote:
>>
>> Hi,
>>
>> Based on some suggestions, I edited file /etc/sysconfig/iptables as:
>>
>> # Firewall configuration written by system-config-securitylevel
>> # Manual customization of this file is not recommended.
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> :RH-Firewall-1-INPUT - [0:0]
>> -A INPUT -j RH-Firewall-1-INPUT
>> -A FORWARD -j RH-Firewall-1-INPUT
>> #
>> :okay - [0:0]
>> #
>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A
>> RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>> #
>> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #
>> ...
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
>> ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
>> ACCEPT
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
>> ACCEPT
>> ...
>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
>>
>> Then, run service iptables start and everything work well -- I can remote
>> login ssh. I have run
>> # iptables-save
>>
>> and also turn the service on:
>>
>> # chkconfig iptables on
>> # chkconfig --list | grep iptable
>> iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
>>
>> However, if I reboot the system, the port 22, 80 etc. are not open, I
>> cannot
>> remotely login ssh. I go to local terminal and run iptables -L, it only
>> shows
>> something like "original iptables setting"(?) as:
>>
>> Chain INPUT (policy DROP)
>> target prot opt source destination
>> ACCEPT tcp -- wumsdns1.wustl.edu anywhere tcp
>> flags:!FIN,SYN,RST,ACK/SYN
>> ACCEPT udp -- wumsdns1.wustl.edu anywhere
>> ...
>> Chain INBOUND (1 references)
>> target prot opt source destination
>> ACCEPT tcp -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT udp -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> LSI all -- anywhere anywhere
>> ...
>> Chain OUTBOUND (1 references)
>> target prot opt source destination
>> ACCEPT icmp -- anywhere anywhere
>> ACCEPT tcp -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT udp -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT all -- anywhere anywhere
>>
>> Since port 22,80 etc. are not open, I can do nothing remotely (ssh,
>> web,..).
>> I have to run "service iptables restart" manually, then it shows what I
>> put in
>> the file /etc/sysconfig/iptables:
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> RH-Firewall-1-INPUT all -- anywhere anywhere
>> ...
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:ssh
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:smtp
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:http
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:pop3
>> ...
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:imap
>> REJECT all -- anywhere anywhere reject-with
>> icmp-host-prohibited
>>
>> Then, everything is working normally. Although I can put "iptables
>> restart"
>> in rc.local and it does work, but I am not comfortable with that.
>>
>> Did I miss something? Where is the "original setting" of iptables stored?
>> Why isn't my /etc/sysconfig/iptables loaded after reboot? How to make it
>> loaded during booting without using rc.local?
>>
>> Thanks!
>>
>> Hongwei
>>
>>
No, it does not change the situation. My iptables settings are still not
loaded upon booting.
Hongwei
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
