On Tue, 2007-08-21 at 06:56 -0700, Don Russell wrote: > Don Russell wrote: > > Mikkel L. Ellertson wrote: > >> Don Russell wrote: > >> > >>> Mikkel L. Ellertson wrote: > >>> > >>>> If you are talking about the rules not surviving a reboot, try > >>>> running "service iptables save" and/or "service ip6tables save". If > >>>> you want the changes saved automatically, edit > >>>> /etc/sysconfig/iptables.conf and change > >>>> IPTABLES_SAVE_ON_RESTART="no" to IPTABLES_SAVE_ON_STOP="yes". Do > >>>> the same for /etc/sysconfig/ip6tables.conf. > >>>> > >>>> Mikkel > >>>> > >> I must have deleted a section of my message somehow before I sent it > >> - there should be advice about changing 2 variables, but there is > >> the default state of one, and the needed state of the other... > >> > >>> ah... that's good to know... BUT.... in neither case have I restarted > >>> the system.... > >>> > >>> I'll have a look at that config file though and see if there are any > >>> clues. :-) > >>> > >>> Maybe what I need to do (as you suggest) is "service iptables save" > >>> after adding the rules and verifying they work correctly. > >>> > >>> (I looked at the webmin method specifically for some form of "save > >>> these > >>> rules", but there is only "apply thse rules", which I did need to do) > >>> > >>> > >> Please post back what you find, as this seams to be a strange one - > >> the rules should not vanish on a normally running system. Are > >> logging out and logging back in at the console, or bringing down an > >> interface, and bringing it back up between setting the rules, and > >> then vanishing? > >> > >> Mikkel > >> > > > > IPTABLES_SAVE_ON_RESTART and IPTABLES_SAVE_ON_STOP are both set to the > > default value of "no". > > > > So, I guess my question becomes, when does the firewall stop or restart? > > > > I log on to a non-root user via ssh, then "su -"/"exit" to make the > > iptables changes.... I have not restarted the whole machine, nor have > > I restarted the iptables service.... does it restart periodically for > > some reason? I haven't added anything to cron etc to make that happen... > > > > I'm not restarting the interface.... > > > > I don't see what I could have done that cause d the firewall to > > stop/restart.... > > To quote Alice.... "Curiouser and curiouser..." > > This morning I can't connect to webmin again.... when I connect to my > FC7 box via ssh and use iptables -L... sure enough, the two rules are > gone again.... and this is AFTER I did a "'service iptables save", when > I added the two rules yesterday. > > #iptables -I INBOUND 13 -p tcp --dport 10000 -j ACCEPT > #iptables -I INBOUND 14 -p tcp --dport 20000 -j ACCEPT > #service iptables save > Saving firewall rules to /etc/sysconfig/iptables: [ OK ] > > The good news is... when I can't connect to webmin, I know what to look > for right away and it's solved (temporarily) in a minute.... Are you sure you don't have a rootkit on there? I don't know of a way for the iptables to get changed except by a command being run. If you're not doing it, it's either a cron job somewhere or a lurking hacker. You might want to try doing an nmap scan against the machine and see which ports are open to see if there's a back door that someone's using. ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - Programmers often confuse Halloween and Christmas. - - After all, 31 Oct is the same as 25 Dec! - ----------------------------------------------------------------------
