my iptables setting not loaded after reboot in fc5
Filippos Klironomos
presariod at gmail.com
Thu May 18 18:42:03 UTC 2006
You should also change
IPTABLES_SAVE_ON_RESTART="no"
to
IPTABLES_SAVE_ON_RESTART="yes"
as well in /etc/sysconfig/iptables-config. Then make all the desired changes
you
want in iptables rules and save them (just in case) by
iptables-save > /etc/sysconfig/iptables
Then your rules should survive system reboots.
Filippos
On 5/18/06, Hongwei Li <hongwei at wustl.edu> wrote:
>
> > Go to /etc/sysconfig/iptables-config and change
> >
> > IPTABLES_SAVE_ON_STOP="no"
> >
> > to
> >
> > IPTABLES_SAVE_ON_STOP="yes"
> >
> > now everytime you shutdown the system your current iptables will be
> saved
> > and
> > then reloaded upon reboot.
> >
> > Filippos
> >
> >
> > On 5/18/06, Hongwei Li <hongwei at wustl.edu> wrote:
> >>
> >> Hi,
> >>
> >> Based on some suggestions, I edited file /etc/sysconfig/iptables as:
> >>
> >> # Firewall configuration written by system-config-securitylevel
> >> # Manual customization of this file is not recommended.
> >> *filter
> >> :INPUT ACCEPT [0:0]
> >> :FORWARD ACCEPT [0:0]
> >> :OUTPUT ACCEPT [0:0]
> >> :RH-Firewall-1-INPUT - [0:0]
> >> -A INPUT -j RH-Firewall-1-INPUT
> >> -A FORWARD -j RH-Firewall-1-INPUT
> >> #
> >> :okay - [0:0]
> >> #
> >> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> >> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> >> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> >> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> >> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A
> >> RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> >> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> >> #
> >> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #
> >> ...
> >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> >> ACCEPT
> >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
> >> ACCEPT
> >> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> >> ACCEPT
> >> ...
> >> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> >>
> >> Then, run service iptables start and everything work well -- I can
> remote
> >> login ssh. I have run
> >> # iptables-save
> >>
> >> and also turn the service on:
> >>
> >> # chkconfig iptables on
> >> # chkconfig --list | grep iptable
> >> iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
> >>
> >> However, if I reboot the system, the port 22, 80 etc. are not open, I
> >> cannot
> >> remotely login ssh. I go to local terminal and run iptables -L, it only
> >> shows
> >> something like "original iptables setting"(?) as:
> >>
> >> Chain INPUT (policy DROP)
> >> target prot opt source destination
> >> ACCEPT tcp -- wumsdns1.wustl.edu anywhere tcp
> >> flags:!FIN,SYN,RST,ACK/SYN
> >> ACCEPT udp -- wumsdns1.wustl.edu anywhere
> >> ...
> >> Chain INBOUND (1 references)
> >> target prot opt source destination
> >> ACCEPT tcp -- anywhere anywhere state
> >> RELATED,ESTABLISHED
> >> ACCEPT udp -- anywhere anywhere state
> >> RELATED,ESTABLISHED
> >> LSI all -- anywhere anywhere
> >> ...
> >> Chain OUTBOUND (1 references)
> >> target prot opt source destination
> >> ACCEPT icmp -- anywhere anywhere
> >> ACCEPT tcp -- anywhere anywhere state
> >> RELATED,ESTABLISHED
> >> ACCEPT udp -- anywhere anywhere state
> >> RELATED,ESTABLISHED
> >> ACCEPT all -- anywhere anywhere
> >>
> >> Since port 22,80 etc. are not open, I can do nothing remotely (ssh,
> >> web,..).
> >> I have to run "service iptables restart" manually, then it shows what I
> >> put in
> >> the file /etc/sysconfig/iptables:
> >> Chain INPUT (policy ACCEPT)
> >> target prot opt source destination
> >> RH-Firewall-1-INPUT all -- anywhere anywhere
> >> ...
> >> ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> >> dpt:ssh
> >> ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> >> dpt:smtp
> >> ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> >> dpt:http
> >> ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> >> dpt:pop3
> >> ...
> >> ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> >> dpt:imap
> >> REJECT all -- anywhere
> anywhere reject-with
> >> icmp-host-prohibited
> >>
> >> Then, everything is working normally. Although I can put "iptables
> >> restart"
> >> in rc.local and it does work, but I am not comfortable with that.
> >>
> >> Did I miss something? Where is the "original setting" of iptables
> stored?
> >> Why isn't my /etc/sysconfig/iptables loaded after reboot? How to make
> it
> >> loaded during booting without using rc.local?
> >>
> >> Thanks!
> >>
> >> Hongwei
> >>
> >>
>
> No, it does not change the situation. My iptables settings are still not
> loaded upon booting.
>
> Hongwei
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20060518/a86d8681/attachment-0002.html
More information about the users
mailing list