Problem starting iptables on FC3

Jeff Vian jvian10 at charter.net
Mon Jan 3 05:45:00 UTC 2005


On Sun, 2005-01-02 at 20:35 -0800, Stephen Walton wrote:
> fedora-list at jamesplace.net wrote:
> 
> >When I try to start iptables it simply fails with no errors and nothing 
> >in /var/log/messages. If I try to load it after running the (fwbuilder 
> >generated) script it starts and the stops immediately.
> >  
> >
> The /etc/rc.d/init.d/iptables script assumes that your firewall setup is 
> in /etc/sysconfig/iptables.  If you are using Firewall Builder (I do and 
> highly recommend it for all but the simplest setups), its script is self 
> contained:  it first resets iptables and then installs the settings you 
> specified in fwbuilder.  If you type  "/sbin/service iptables start" 
> after running your fwbuilder script, it will (probably) screw things up 
> as it will try to add the setup in /etc/sysconfig on top of the 
> fwbuilder settings.  "/sbin/service iptables stop" is still useful even 
> if you're using fwbuilder, as it will in effect turn off the firewall by 
> resetting everything to its defaults.
> 

One additional note here, and yes, I also use fwbuilder to configure my
firewall.

Stephen, you are correct as far as you go, but that approach means you
MUST rerun the fwbuilder script everytime you reboot or even if you just
stop iptables and want to restart it.

To eliminate the problem with doing a service iptables start and having
your fwbuilder configuration erased, a simple step that only needs to be
done when the fwbuilder config is first installed or changed would be to
do a 2 step process.

1. Install your fwbuilder script and verify it using iptables -L to see
the settings.
2. Save those settings to /etc/sysconfig/iptables using "service
iptables save".

After step 2 is completed and verified, then you never need to run the
fwbuilder script again unless it is changed.  A simple reboot will
automatically reload the last one saved when iptables is started.

If you make a change to the fwbuilder script, then repeat the process
above and you are good to go.

The alternative to this approach is likely that you added into some
script such as rc.local a command to run the fwbuilder script.  The
problem with doing that is that iptables is by default activated before
the network is enabled and halted after the network is disabled.
Running it from some userland script or from somewhere such as rc.local
makes it get activated  at a different time in the startup than default,
and my approach allows the default scripts to control the timing of the
firewall startup.





More information about the users mailing list