Iptables not saving...

Devon Harding devonharding at gmail.com
Mon Apr 24 15:18:29 UTC 2006 

On 4/24/06, Tim <ignored_mailbox at yahoo.com.au> wrote:
> Be advised that top posting, and using HTML, is a sure-fire way to avoid
> getting help on a mailing list.  There may well be someone out there who
> might have the answer to all your woes, but dumps any messages posted
> that way.
>
>
>
>
> On Sun, 2006-04-23 at 09:34 -0400, Devon Harding wrote:
> > The reason I want the chains saved, is because I'm uning sshdblackd
> > (http://www.sshblack.com) to block failed ssh attempts on my box
>
> Considering this snippet from the website (below), I'm not sure that
> saving the tables is a necessary step, nor perhaps even a good one.
>
> "The blacklist is simply a list of source IP addresses that are
> prohibited from making ssh connections to the protected host. Once a
> predetermined amount of time has passed, the offending IP address is
> removed from the blacklist."
>
> > Here is everything that I did manually...
> >
> > [root at mars ~]# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> > ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
> > ACCEPT     all  --  anywhere             anywhere
> > BLACKLIST  tcp  --  anywhere             anywhere            tcp dpt:ssh
> >
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain BLACKLIST (1 references)
> > target     prot opt source               destination
> > DROP       all  --  uo82.internetdsl.tpnet.pl  anywhere
>
> If you're trying to keep a tight rein on SSH, I'd expect you to only
> allow it through a range of predetermined IPs, even if you are taking
> this approach of automatically blackbanning some IPs.
>
>
> > [root at mars ~]# cat /etc/cron.hourly/iptables.cron
> > #!/bin/sh
> > /sbin/iptables-save >/dev/null 2>&1
>
> As you should see from your next sample output, iptables-save dumps to
> standard out.  You want to direct its output to where iptables normally
> keeps its rules, otherwise you'll be "saving" nothing.
>
> If FC5 still uses the same place as FC4, I think you'll want to use the
> iptables-save command more like how I mentioned it near the bottom of my
> prior posting.
>
> e.g. #!/bin/sh
>      /sbin/iptables-save > /etc/sysconfig/iptables
>
> Though, I think you could avoid having to do that just by having
> iptables save its configuration at shutdown.  At next bootup, it'll pick
> up from there, without needing a regular save.
>
> > [root at mars ~]# /sbin/iptables-save
> > # Generated by iptables-save v1.3.5 on Sun Apr 23 09:24:51 2006
> > *filter
> > :INPUT ACCEPT [19025:2595521]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [691823:184550717]
> > :BLACKLIST - [0:0]
> > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -i lo -j ACCEPT
> > -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
> > -A BLACKLIST -s 80.55.144.82 -j DROP
> > COMMIT
> > # Completed on Sun Apr 23 09:24:51 2006
>
> *Showing* you what it *would* save.  You have to direct its output to a
> file to really save it.
>
> > [root at mars ~]# cat /etc/sysconfig/iptables
> > # Generated by iptables-save v1.3.5 on Sun Apr 23 09:01:15 2006
> > *filter
> > :INPUT ACCEPT [18650:2543690]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [690115:184341112]
> > :BLACKLIST - [0:0]
> > [664430:180357913] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > [3365:200808] -A INPUT -i lo -j ACCEPT
> > [6:360] -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
> > [3:180] -A BLACKLIST -s 80.55.144.82 -j DROP
> > COMMIT
> > # Completed on Sun Apr 23 09:01:15 2006
>
> At this point you should notice that the saved configuration is not the
> same as your example above it.  The saved configuration is something
> that was saved beforehand.
>
> But here (below) you're striking another problem:
>
> > [root at mars ~]# reboot
> >
> > Last login: Sun Apr 23 09:20:19 2006 from pluto.domain.com
> > [root at mars ~]# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
>
> Are you running more than one firewall program?  Some can fight with
> each other.
>
> It might be worth trying turning that IPTABLES_SAVE_ON_RESTART="yes"
> back to "no", in case there's fault where a "start" gets treated the
> same as a "restart", and saves empty tables.
>
> --
> (Currently running FC4, occasionally trying FC5.)
>
> Don't send private replies to my address, the mailbox is ignored.
> I read messages from the public lists.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>

I tried setting the script as described above & change the
/etc/sysconfig/iptables-config, but still get the same results on
reboot:

[root at mars ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

More information about the users mailing list