iptables has amnesia :-)

Don Russell fedora at drussell.dnsalias.com
Wed Aug 22 02:47:37 UTC 2007 

Don Russell wrote:
> Rick Stevens wrote:
>> On Tue, 2007-08-21 at 06:56 -0700, Don Russell wrote:
>>  
>>> Don Russell wrote:
>>>    
>>>> Mikkel L. Ellertson wrote:
>>>>      
>>>>> Don Russell wrote:
>>>>>  
>>>>>        
>>>>>> Mikkel L. Ellertson wrote:
>>>>>>             
>>>>>>> If you are talking about the rules not surviving a reboot, try
>>>>>>> running "service iptables save" and/or "service ip6tables save". If
>>>>>>> you want the changes saved automatically, edit
>>>>>>> /etc/sysconfig/iptables.conf and change
>>>>>>> IPTABLES_SAVE_ON_RESTART="no" to  IPTABLES_SAVE_ON_STOP="yes". Do
>>>>>>> the same for /etc/sysconfig/ip6tables.conf.
>>>>>>>
>>>>>>> Mikkel
>>>>>>>                     
>>>>> I must have deleted a section of my message somehow before I sent it
>>>>> - there should be advice about changing 2 variables, but there is
>>>>> the default state of one, and the needed state of the other...
>>>>>  
>>>>>        
>>>>>> ah... that's good to know... BUT.... in neither case have I 
>>>>>> restarted
>>>>>> the system....
>>>>>>
>>>>>> I'll have a look at that config file though and see if there are any
>>>>>> clues. :-)
>>>>>>
>>>>>> Maybe what I need to do (as you suggest) is "service iptables save"
>>>>>> after adding the rules and verifying they work correctly.
>>>>>>
>>>>>> (I looked at the webmin method specifically for some form of 
>>>>>> "save these
>>>>>> rules", but there is only "apply thse rules", which I did need to 
>>>>>> do)
>>>>>>
>>>>>>               
>>>>> Please post back what you find, as this seams to be a strange one -
>>>>> the rules should not vanish on a normally running system.  Are
>>>>> logging out and logging back in at the console, or bringing down an
>>>>> interface, and bringing it back up between setting the rules, and
>>>>> then vanishing?
>>>>>
>>>>> Mikkel
>>>>>           
>>>> IPTABLES_SAVE_ON_RESTART and IPTABLES_SAVE_ON_STOP are both set to 
>>>> the default value of "no".
>>>>
>>>> So, I guess my question becomes, when does the firewall stop or 
>>>> restart?
>>>>
>>>> I log on to a non-root user via ssh, then "su -"/"exit" to make the 
>>>> iptables changes.... I have not restarted the whole machine, nor 
>>>> have I restarted the iptables service.... does it restart 
>>>> periodically for some reason? I haven't added anything to cron etc 
>>>> to make that happen...
>>>>
>>>> I'm not restarting the interface....
>>>>
>>>> I don't see what I could have done that cause d the firewall to 
>>>> stop/restart....
>>>>       
>>> To quote Alice.... "Curiouser and curiouser..."
>>>
>>> This morning I can't connect to webmin again.... when I connect to 
>>> my FC7 box via ssh and use iptables -L... sure enough, the two rules 
>>> are gone again.... and this is AFTER I did a "'service iptables 
>>> save", when I added the two rules yesterday.
>>>
>>> #iptables -I INBOUND 13 -p tcp --dport 10000 -j ACCEPT
>>> #iptables -I INBOUND 14 -p tcp --dport 20000 -j ACCEPT
>>> #service iptables save
>>> Saving firewall rules to /etc/sysconfig/iptables:    [ OK ]
>>>
>>> The good news is... when I can't connect to webmin, I know what to 
>>> look for right away and it's solved (temporarily) in a minute....
>>>     
>>
>> Are you sure you don't have a rootkit on there?  I don't know of a
>> way for the iptables to get changed except by a command being run.
>> If you're not doing it, it's either a cron job somewhere or a lurking
>> hacker.  You might want to try doing an nmap scan against the machine
>> and see which ports are open to see if there's a back door that
>> someone's using.
>>   
>
> Well.... I "yum remove webmin" and "yum remove usermin" and my 
> iptables rules seem pretty permanent once again.
>
> I'll assume I did some brain-dead thing when installing webmin.... :-)
>
>
DAMN! That was a red-herring......

I just ended my ssh session, logged back in that way, and lo and behold, 
the new rules were gone again. So, I guess I'll install webmin/usermin 
again.. those are pretty cool apps. :-)

So, it appears that the sequence of
    - connect from remote machine via ssh
    - su -
    - iptables -I ...
    - service iptables save
    - exit
    - logout

Does not make the new iptables rules permanent.... :-(
sigh

More information about the fedora-list mailing list