iptables has amnesia :-)

Tue Aug 21 13:56:49 UTC 2007

Don Russell wrote:
> Mikkel L. Ellertson wrote:
>> Don Russell wrote:
>>  
>>> Mikkel L. Ellertson wrote:
>>>    
>>>> If you are talking about the rules not surviving a reboot, try
>>>> running "service iptables save" and/or "service ip6tables save". If
>>>> you want the changes saved automatically, edit
>>>> /etc/sysconfig/iptables.conf and change
>>>> IPTABLES_SAVE_ON_RESTART="no" to  IPTABLES_SAVE_ON_STOP="yes". Do
>>>> the same for /etc/sysconfig/ip6tables.conf.
>>>>
>>>> Mikkel
>>>>         
>> I must have deleted a section of my message somehow before I sent it
>> - there should be advice about changing 2 variables, but there is
>> the default state of one, and the needed state of the other...
>>  
>>> ah... that's good to know... BUT.... in neither case have I restarted
>>> the system....
>>>
>>> I'll have a look at that config file though and see if there are any
>>> clues. :-)
>>>
>>> Maybe what I need to do (as you suggest) is "service iptables save"
>>> after adding the rules and verifying they work correctly.
>>>
>>> (I looked at the webmin method specifically for some form of "save 
>>> these
>>> rules", but there is only "apply thse rules", which I did need to do)
>>>
>>>     
>> Please post back what you find, as this seams to be a strange one -
>> the rules should not vanish on a normally running system.  Are
>> logging out and logging back in at the console, or bringing down an
>> interface, and bringing it back up between setting the rules, and
>> then vanishing?
>>
>> Mikkel
>>   
>
> IPTABLES_SAVE_ON_RESTART and IPTABLES_SAVE_ON_STOP are both set to the 
> default value of "no".
>
> So, I guess my question becomes, when does the firewall stop or restart?
>
> I log on to a non-root user via ssh, then "su -"/"exit" to make the 
> iptables changes.... I have not restarted the whole machine, nor have 
> I restarted the iptables service.... does it restart periodically for 
> some reason? I haven't added anything to cron etc to make that happen...
>
> I'm not restarting the interface....
>
> I don't see what I could have done that cause d the firewall to 
> stop/restart....

To quote Alice.... "Curiouser and curiouser..."

This morning I can't connect to webmin again.... when I connect to my 
FC7 box via ssh and use iptables -L... sure enough, the two rules are 
gone again.... and this is AFTER I did a "'service iptables save", when 
I added the two rules yesterday.

#iptables -I INBOUND 13 -p tcp --dport 10000 -j ACCEPT
#iptables -I INBOUND 14 -p tcp --dport 20000 -j ACCEPT
#service iptables save
Saving firewall rules to /etc/sysconfig/iptables:    [ OK ]

The good news is... when I can't connect to webmin, I know what to look 
for right away and it's solved (temporarily) in a minute....