my iptables setting not loaded after reboot in fc5

Filippos Klironomos presariod at gmail.com
Thu May 18 17:00:33 UTC 2006 

Go to /etc/sysconfig/iptables-config and change

IPTABLES_SAVE_ON_STOP="no"

to

IPTABLES_SAVE_ON_STOP="yes"

now everytime you shutdown the system your current iptables will be saved
and
then reloaded upon reboot.

Filippos


On 5/18/06, Hongwei Li <hongwei at wustl.edu> wrote:
>
> Hi,
>
> Based on some suggestions, I edited file /etc/sysconfig/iptables as:
>
> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> #
> :okay - [0:0]
> #
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A
> RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> #
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #
> ...
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> ACCEPT
> ...
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
>
> Then, run service iptables start and everything work well -- I can remote
> login ssh.  I have run
> # iptables-save
>
> and also turn the service on:
>
> # chkconfig iptables on
> # chkconfig --list | grep iptable
> iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
>
> However, if I reboot the system, the port 22, 80 etc. are not open, I
> cannot
> remotely login ssh. I go to local terminal and run iptables -L, it only
> shows
> something like "original iptables setting"(?) as:
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     tcp  --  wumsdns1.wustl.edu   anywhere            tcp
> flags:!FIN,SYN,RST,ACK/SYN
> ACCEPT     udp  --  wumsdns1.wustl.edu   anywhere
> ...
> Chain INBOUND (1 references)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> LSI        all  --  anywhere             anywhere
> ...
> Chain OUTBOUND (1 references)
> target     prot opt source               destination
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     udp  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere
>
> Since port 22,80 etc. are not open, I can do nothing remotely (ssh,
> web,..).
> I have to run "service iptables restart" manually, then it shows what I
> put in
> the file /etc/sysconfig/iptables:
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> ...
> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
> dpt:ssh
> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
> dpt:smtp
> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
> dpt:http
> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
> dpt:pop3
> ...
> ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp
> dpt:imap
> REJECT     all  --  anywhere             anywhere            reject-with
> icmp-host-prohibited
>
> Then, everything is working normally.  Although I can put "iptables
> restart"
> in rc.local and it does work, but I am not comfortable with that.
>
> Did I miss something?  Where is the "original setting" of iptables stored?
> Why isn't my /etc/sysconfig/iptables loaded after reboot? How to make it
> loaded during booting without using rc.local?
>
> Thanks!
>
> Hongwei
>
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060518/dada0c56/attachment-0001.htm>

More information about the fedora-list mailing list