Hello all:
I did a fresh install of CentOS 7 on a new machine.
I wrote /usr/local/bin/firewall.stop to remove all the firewall rules. It contains this code: # Flush the rules /usr/sbin/iptables -F
# Set the default policies to accept /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -P FORWARD ACCEPT
I wrote /usr/local/bin/firewall.start to set the firewall rules. It contains this code: # IP definitions ETH0_IP=a.b.c.d
# Load the FTP conntrak module /usr/sbin/modprobe nf_conntrack_ftp
# Set the default policies to drop all packets /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P OUTPUT DROP /usr/sbin/iptables -P FORWARD DROP
# Flush any existing rules /usr/sbin/iptables -F
# Allow loopback traffic /usr/sbin/iptables -A INPUT -i lo -j ACCEPT /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Allow icmp protocol packets /usr/sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT /usr/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT
[ Additional allow rules here ]
If I run the firewall.start script manually, it sets the iptables rules correctly. If I run the firewall.stop script manually, it removes the iptables rules correctly.
The problem comes in when I am trying to execute this from systemd.
I wrote /etc/systemd/system/firewall.service with this content:
[Unit] Description=Iptables firewall Before=network.target Wants=network.target
[Service] Type=oneshot ExecStart=/usr/local/bin/firewall.start ExecStop=/usr/local/bin/firewall.stop RemainAfterExit=yes
[Install] WantedBy=multi-user.target
Now, when I run systemctl start firewall.service, I get this output: Job for firewall.service failed. See 'systemctl status firewall.service' and 'journalctl -xn' for details.
If I do systemctl status firewall.status, it gives me: firewall.status.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead)
journalctl -xn gives me this output: Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Starting Iptables firewall... -- Subject: Unit firewall.service has begun with start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit firewall.service has begun starting up. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[2268]: Failed at step EXEC spawning /usr/local/bin/firewall.start: Exec format error -- Subject: Process /usr/local/bin/firewall.start could not be executed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- The process /usr/local/bin/firewall.start could not be executed and failed. -- -- The error number returned while executing this process is 8. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: firewall.service: main process exited, code=exited, status=203/EXEC Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Failed to start Iptables firewall. -- Subject: Unit firewall.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit firewall.service has failed. -- -- The result is failed. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Unit firewall.service entered failed state.
Any ideas what is happening here?
Thanks, Neil
-- Neil Aggarwal, (972) 834-1565 We lend money to investors to buy or refinance single family rent houses. No origination fees, quick approval, no credit check.