Go to /etc/sysconfig/iptables-config and change IPTABLES_SAVE_ON_STOP="no" to IPTABLES_SAVE_ON_STOP="yes" now everytime you shutdown the system your current iptables will be saved and then reloaded upon reboot. Filippos <div>On 5/18/06, Hongwei Li <<a href="mailto:hongwei@wustl.edu">hongwei@wustl.edu</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi, Based on some suggestions, I edited file /etc/sysconfig/iptables as: # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT # :okay - [0:0] # -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d <a href="http://224.0.0.251">224.0.0.251</a> -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT # -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ... -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT ... -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Then, run service iptables start and everything work well -- I can remote login ssh. I have run # iptables-save and also turn the service on: # chkconfig iptables on # chkconfig --list | grep iptable iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off However, if I reboot the system, the port 22, 80 etc. are not open, I cannot remotely login ssh. I go to local terminal and run iptables -L, it only shows something like "original iptables setting"(?) as: Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- <a href="http://wumsdns1.wustl.edu">wumsdns1.wustl.edu</a> anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ACCEPT udp -- <a href="http://wumsdns1.wustl.edu">wumsdns1.wustl.edu</a> anywhere ... Chain INBOUND (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED LSI all -- anywhere anywhere ... Chain OUTBOUND (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Since port 22,80 etc. are not open, I can do nothing remotely (ssh, web,..). I have to run "service iptables restart" manually, then it shows what I put in the file /etc/sysconfig/iptables: Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere ... ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3 ... ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Then, everything is working normally. Although I can put "iptables restart" in rc.local and it does work, but I am not comfortable with that. Did I miss something? Where is the "original setting" of iptables stored? Why isn't my /etc/sysconfig/iptables loaded after reboot? How to make it loaded during booting without using rc.local? Thanks! Hongwei -- fedora-list mailing list <a href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a> To unsubscribe: <a href="https://www.redhat.com/mailman/listinfo/fedora-list"> https://www.redhat.com/mailman/listinfo/fedora-list</a> </blockquote></div>