I have a xen machine that has iptables turned off, and after a reboot it started behaving badly during times when network IO rose to anything other than almost nil. Since I know iptables makes xen unstable without some additional config and since its isolated I just have is disabled. As a result it was the last place I looked and spent the better half of the day chasing my tail.
Somehow it gets turned on after a reboot, how can I deduce what is activating it?
Thanks! jlc
I'm not sure as it relates specifically to XEN - but I would have a look through the /etc/rc.d directory. If it's not being turned on there, 'egrep -i iptables' /etc/init.d/* and see if it's in any startup script there. Slim chance they may be something in rc.local as well.
-Peter
2008/6/9 Joseph L. Casale JCasale@activenetwerx.com:
I have a xen machine that has iptables turned off, and after a reboot it started behaving badly during times when network IO rose to anything other than almost nil. Since I know iptables makes xen unstable without some additional config and since its isolated I just have is disabled. As a result it was the last place I looked and spent the better half of the day chasing my tail.
Somehow it gets turned on after a reboot, how can I deduce what is activating it?
Thanks! jlc
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I'm not sure as it relates specifically to XEN - but I would have a look through the /etc/rc.d directory. If it's not being turned on there, 'egrep -i iptables' /etc/init.d/* and see if it's in any startup script there. Slim chance they may be something in rc.local as well.
-Peter
Peter, Arghh, system-config-securitylevel had "security" enabled. So what does that do to start iptables? That was a lot of wasted time :)
jlc
I'm really not sure - it's a control script for setting the security policy of SE Linux I believe. It may control basic firewall settings as well.
You originally said that you wanted IPtables off. Even if your SE Linux policy is set to 'enforcing' you should still be able to shut down your firewall with: # service iptables stop and check the to make sure with: # iptables -L -n
I think that by default, SE Linux is turned on and set up with a usable security policy from CentOS 4.6 onwards. Perhaps even earlier. I'm not at all versed in SE Linux, I usually disable it for everything other than my DMZ machines because it's been such an absolute pain in the ass to manage. They've got much better management tools now and if you do a bit of RTFM'ing you should be able to find a way to tail your logs, see whats being affected, and add that to the policy to 'enable' it. *there are more elegant ways of doing this - but this is the 'SE Linux 101' method.
Aside from that, your only other option is to disable it. i would try to learn a bit more about it and use it as it's intended. It's here to stay and will be included in most distros from here on out - so we should get used to it!
You can disable the 'enforcing' at boot or change the flag in the config file somewhere under /etc/selinux as I recall.
-Peter
2008/6/10 Joseph L. Casale JCasale@activenetwerx.com:
I'm not sure as it relates specifically to XEN - but I would have a look through the /etc/rc.d directory. If it's not being turned on there, 'egrep -i iptables' /etc/init.d/* and see if it's in any startup script there. Slim chance they may be something in rc.local as well.
-Peter
Peter, Arghh, system-config-securitylevel had "security" enabled. So what does that do to start iptables? That was a lot of wasted time :)
jlc
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Saturday 14 June 2008 09:49, Joseph L. Casale wrote:
chkconfig iptables off
That was how I disabled it originally yet it was being started by something else. jlc
Did you install another firewall front end? Something like Firestarter?
Did you install another firewall front end? Something like Firestarter?
No, but /etc/sysconfig/iptables had previous config so I purged the file. I haven’t rebooted since to see if its starts again.
I noticed on another machine that had iptables disabled in chkconfig that after setting it to on, I couldn’t even start it with service iptables start until I issued an iptables -F? I was just about to start exploring why that is now :)
jlc
Joseph L. Casale wrote on Mon, 09 Jun 2008 07:46:03 -0600:
Somehow it gets turned on after a reboot, how can I deduce what is activating it?
AFAIS iptables is active all the time in CentOS 5. Deactivating the service just means that queues are empty. Starting libvirtd and creating xen machines definitely adds to the queues.
Kai
By the way - what does 'AFAIS' stand for?
-Peter
2008/6/9 Kai Schaetzl maillists@conactive.com:
Joseph L. Casale wrote on Mon, 09 Jun 2008 07:46:03 -0600:
Somehow it gets turned on after a reboot, how can I deduce what is activating it?
AFAIS iptables is active all the time in CentOS 5. Deactivating the service just means that queues are empty. Starting libvirtd and creating xen machines definitely adds to the queues.
Kai
-- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Peter Farrell wrote on Mon, 9 Jun 2008 16:33:15 +0100:
By the way - what does 'AFAIS' stand for?
In concordance with AFAIK: AFAI SEE ;-)
Kai