iptables rules get deleted...

Discussion in 'Linux Networking' started by Paul M., Jun 24, 2003.

  1. Paul M.

    Paul M. Guest

    Hi,
    I'm setting up a RedHat 8.0 box on the network with a static
    address. It is a relatively uncustomized box other than running some
    security updates and turning off unwanted services. I need to run
    portmap, which is why I need to filter network access. I've created a
    set of iptables rules, loaded them and saved them into
    /etc/sysconfig/iptables using iptables-save. It's a simple setup-- no
    NAT/masq, etc, just a simple port filter. I've tested it and it does
    what I want. I go home and come back in the morning and run iptables
    -L. All my rules are gone. I can reload the rules from
    /etc/sysconfig/iptables, but its hard to convince my boss that a port
    filter that deletes its own rules is a good thing. Is RedHat trying to
    "help" me ala Windows? Is there some daemon that doesn't like my rule
    set? I did not have this problem in RedHat 7.2. Thanks for any ideas.

    Paul M.
     
    Paul M., Jun 24, 2003
    #1
    1. Advertisements

  2. Dans sa prose, Paul M. nous ecrivait :
    Has the box been rebooted during the night ? If so, check your startup
    scripts, iptables rules loading must be missing.
     
    Cedric Blancher, Jun 24, 2003
    #2
    1. Advertisements

  3. I had a similar problem with RH8. It was because iptables wasn't actually
    loading as a service so I simply wgetted the latest iptables RPM from
    rpmfind.net and installed that.

    Then, load your tables from before and:

    iptables-save
    service iptables save
    service iptables restart

    Hopefully that should now load it all up on boot.
     
    George Hewitt, Jun 24, 2003
    #3
  4. Paul M.

    Rick Cooper Guest

    Put this script in your /etc/init.d directory under the name iptables (as
    root)
    then run
    chmod u=rwx,g=rwx,o=x /etc/init.d/iptables
    chkconfig --add iptables

    and it will load everytime the system is booted

    The only thing I have changed from the original is the addition of the -n
    option to the status section
    You will also find the linux firewall module of webmin makes
    creating/editing/deleting/ordering rules using iptables-save and
    iptables-restore VERY easy.

    #!/bin/sh
    #
    # Startup script to implement /etc/sysconfig/iptables pre-defined rules.
    #
    # chkconfig: 2345 08 92
    #
    # description: Automates a packet filtering firewall with iptables.
    #
    # by , based on the ipchains script:
    # Script Author: Joshua Jensen <>
    # -- hacked up by gafton with help from notting
    # modified by Anton Altaparmakov <>:
    # modified by Nils Philippsen <>
    #
    # config: /etc/sysconfig/iptables

    # Source 'em up
    .. /etc/init.d/functions

    IPTABLES_CONFIG=/etc/sysconfig/iptables

    if [ ! -x /sbin/iptables ]; then
    exit 0
    fi

    KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
    KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

    if [ "$KERNELMAJ" -lt 2 ] ; then
    exit 0
    fi
    if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
    exit 0
    fi



    if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
    # Don't do both
    exit 0
    fi

    iftable() {
    if fgrep -qsx $1 /proc/net/ip_tables_names; then
    iptables -t "[email protected]"
    fi
    }

    start() {
    # don't do squat if we don't have the config file
    if [ -f $IPTABLES_CONFIG ]; then
    # If we don't clear these first, we might be adding to
    # pre-existing rules.
    action $"Flushing all current rules and user defined chains:"
    iptables -F
    action $"Clearing all current rules and user defined chains:"
    iptables -X
    chains=`cat /proc/net/ip_tables_names 2>/dev/null`
    for i in $chains; do iptables -t $i -F; done && \
    success $"Flushing all current rules and user defined chains:"
    || \
    failure $"Flushing all current rules and user defined chains:"
    for i in $chains; do iptables -t $i -X; done && \
    success $"Clearing all current rules and user defined chains:"
    || \
    failure $"Clearing all current rules and user defined chains:"

    for i in $chains; do iptables -t $i -Z; done

    echo $"Applying iptables firewall rules: "
    grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' |
    /sbin/iptables-restore -c && \
    success $"Applying iptables firewall rules" || \
    failure $"Applying iptables firewall rules"
    echo
    touch /var/lock/subsys/iptables
    fi
    }

    stop() {
    chains=`cat /proc/net/ip_tables_names 2>/dev/null`
    for i in $chains; do iptables -t $i -F; done && \
    success $"Flushing all chains:" || \
    failure $"Flushing all chains:"
    for i in $chains; do iptables -t $i -X; done && \
    success $"Removing user defined chains:" || \
    failure $"Removing user defined chains:"
    echo -n $"Resetting built-in chains to the default ACCEPT policy:"
    iftable filter -P INPUT ACCEPT && \
    iftable filter -P OUTPUT ACCEPT && \
    iftable filter -P FORWARD ACCEPT && \
    iftable nat -P PREROUTING ACCEPT && \
    iftable nat -P POSTROUTING ACCEPT && \
    iftable nat -P OUTPUT ACCEPT && \
    iftable mangle -P PREROUTING ACCEPT && \
    iftable mangle -P OUTPUT ACCEPT && \
    success $"Resetting built-in chains to the default ACCEPT policy" || \
    failure $"Resetting built-in chains to the default ACCEPT policy"
    echo
    rm -f /var/lock/subsys/iptables
    }

    case "$1" in
    start)
    start
    ;;

    stop)
    stop
    ;;

    restart)
    # "restart" is really just "start" as this isn't a daemon,
    # and "start" clears any pre-defined rules anyway.
    # This is really only here to make those who expect it happy
    start
    ;;

    condrestart)
    [ -e /var/lock/subsys/iptables ] && start
    ;;

    status)
    tables=`cat /proc/net/ip_tables_names 2>/dev/null`
    for table in $tables; do
    echo $"Table: $table"
    iptables -n -t $table --list
    done
    ;;

    panic)
    echo -n $"Changing target policies to DROP: "
    iftable filter -P INPUT DROP && \
    iftable filter -P FORWARD DROP && \
    iftable filter -P OUTPUT DROP && \
    iftable nat -P PREROUTING DROP && \
    iftable nat -P POSTROUTING DROP && \
    iftable nat -P OUTPUT DROP && \
    iftable mangle -P PREROUTING DROP && \
    iftable mangle -P OUTPUT DROP && \
    success $"Changing target policies to DROP" || \
    failure $"Changing target policies to DROP"
    echo
    iftable filter -F INPUT && \
    iftable filter -F FORWARD && \
    iftable filter -F OUTPUT && \
    iftable nat -F PREROUTING && \
    iftable nat -F POSTROUTING && \
    iftable nat -F OUTPUT && \
    iftable mangle -F PREROUTING && \
    iftable mangle -F OUTPUT && \
    success $"Flushing all chains:" || \
    failure $"Flushing all chains:"
    iftable filter -X INPUT && \
    iftable filter -X FORWARD && \
    iftable filter -X OUTPUT && \
    iftable nat -X PREROUTING && \
    iftable nat -X POSTROUTING && \
    iftable nat -X OUTPUT && \
    iftable mangle -X PREROUTING && \
    iftable mangle -X OUTPUT && \
    success $"Removing user defined chains:" || \
    failure $"Removing user defined chains:"
    ;;

    save)
    echo -n $"Saving current rules to $IPTABLES_CONFIG: "
    touch $IPTABLES_CONFIG
    chmod 600 $IPTABLES_CONFIG
    /sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
    success $"Saving current rules to $IPTABLES_CONFIG" || \
    failure $"Saving current rules to $IPTABLES_CONFIG"
    echo
    ;;

    *)
    echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
    exit 1
    esac

    exit 0
     
    Rick Cooper, Jun 25, 2003
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.