my iptables setting not loaded after reboot in fc5

Filippos Klironomos presariod at gmail.com
Thu May 18 18:42:03 UTC 2006 

You should also change

IPTABLES_SAVE_ON_RESTART="no"

to

IPTABLES_SAVE_ON_RESTART="yes"

as well in /etc/sysconfig/iptables-config. Then make all the desired changes
you
want in iptables rules and save them (just in case) by

iptables-save > /etc/sysconfig/iptables

Then your rules should survive system reboots.

Filippos


On 5/18/06, Hongwei Li <hongwei at wustl.edu> wrote:
>
> > Go to /etc/sysconfig/iptables-config and change
> >
> > IPTABLES_SAVE_ON_STOP="no"
> >
> > to
> >
> > IPTABLES_SAVE_ON_STOP="yes"
> >
> > now everytime you shutdown the system your current iptables will be
> saved
> > and
> > then reloaded upon reboot.
> >
> > Filippos
> >
> >
> > On 5/18/06, Hongwei Li <hongwei at wustl.edu> wrote:
> >>
> >> Hi,
> >>
> >> Based on some suggestions, I edited file /etc/sysconfig/iptables as:
> >>
> >> # Firewall configuration written by system-config-securitylevel
> >> # Manual customization of this file is not recommended.
> >> *filter
> >> :INPUT ACCEPT [0:0]
> >> :FORWARD ACCEPT [0:0]
> >> :OUTPUT ACCEPT [0:0]
> >> :RH-Firewall-1-INPUT - [0:0]
> >> -A INPUT -j RH-Firewall-1-INPUT
> >> -A FORWARD -j RH-Firewall-1-INPUT
> >> #
> >> :okay - [0:0]
> >> #
> >> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> >> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> >> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> >> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> >> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A
> >> RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> >> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> >> #
> >> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #
> >> ...
> >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> >> ACCEPT
> >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
> >> ACCEPT
> >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> >> ACCEPT
> >> ...
> >> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> >>
> >> Then, run service iptables start and everything work well -- I can
> remote
> >> login ssh.  I have run
> >> # iptables-save
> >>
> >> and also turn the service on:
> >>
> >> # chkconfig iptables on
> >> # chkconfig --list | grep iptable
> >> iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
> >>
> >> However, if I reboot the system, the port 22, 80 etc. are not open, I
> >> cannot
> >> remotely login ssh. I go to local terminal and run iptables -L, it only
> >> shows
> >> something like "original iptables setting"(?) as:
> >>
> >> Chain INPUT (policy DROP)
> >> target     prot opt source               destination
> >> ACCEPT     tcp  --  wumsdns1.wustl.edu   anywhere            tcp
> >> flags:!FIN,SYN,RST,ACK/SYN
> >> ACCEPT     udp  --  wumsdns1.wustl.edu   anywhere
> >> ...
> >> Chain INBOUND (1 references)
> >> target     prot opt source               destination
> >> ACCEPT     tcp  --  anywhere             anywhere            state
> >> RELATED,ESTABLISHED
> >> ACCEPT     udp  --  anywhere             anywhere            state
> >> RELATED,ESTABLISHED
> >> LSI        all  --  anywhere             anywhere
> >> ...
> >> Chain OUTBOUND (1 references)
> >> target     prot opt source               destination
> >> ACCEPT     icmp --  anywhere             anywhere
> >> ACCEPT     tcp  --  anywhere             anywhere            state
> >> RELATED,ESTABLISHED
> >> ACCEPT     udp  --  anywhere             anywhere            state
> >> RELATED,ESTABLISHED
> >> ACCEPT     all  --  anywhere             anywhere
> >>
> >> Since port 22,80 etc. are not open, I can do nothing remotely (ssh,
> >> web,..).
> >> I have to run "service iptables restart" manually, then it shows what I
> >> put in
> >> the file /etc/sysconfig/iptables:
> >> Chain INPUT (policy ACCEPT)
> >> target     prot opt source               destination
> >> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >> ...
> >> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp
> >> dpt:ssh
> >> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp
> >> dpt:smtp
> >> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp
> >> dpt:http
> >> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp
> >> dpt:pop3
> >> ...
> >> ACCEPT     tcp  --  anywhere             anywhere            state NEW
> tcp
> >> dpt:imap
> >> REJECT     all  --  anywhere
> anywhere            reject-with
> >> icmp-host-prohibited
> >>
> >> Then, everything is working normally.  Although I can put "iptables
> >> restart"
> >> in rc.local and it does work, but I am not comfortable with that.
> >>
> >> Did I miss something?  Where is the "original setting" of iptables
> stored?
> >> Why isn't my /etc/sysconfig/iptables loaded after reboot? How to make
> it
> >> loaded during booting without using rc.local?
> >>
> >> Thanks!
> >>
> >> Hongwei
> >>
> >>
>
> No, it does not change the situation.  My iptables settings are still not
> loaded upon booting.
>
> Hongwei
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20060518/a86d8681/attachment-0002.html

More information about the users mailing list