Hello all:
I did a fresh install of CentOS 7 on a new machine.
I wrote /usr/local/bin/firewall.stop to remove all the firewall rules. It contains this code: # Flush the rules /usr/sbin/iptables -F
# Set the default policies to accept /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -P FORWARD ACCEPT
I wrote /usr/local/bin/firewall.start to set the firewall rules. It contains this code: # IP definitions ETH0_IP=a.b.c.d
# Load the FTP conntrak module /usr/sbin/modprobe nf_conntrack_ftp
# Set the default policies to drop all packets /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P OUTPUT DROP /usr/sbin/iptables -P FORWARD DROP
# Flush any existing rules /usr/sbin/iptables -F
# Allow loopback traffic /usr/sbin/iptables -A INPUT -i lo -j ACCEPT /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Allow icmp protocol packets /usr/sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT /usr/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT
[ Additional allow rules here ]
If I run the firewall.start script manually, it sets the iptables rules correctly. If I run the firewall.stop script manually, it removes the iptables rules correctly.
The problem comes in when I am trying to execute this from systemd.
I wrote /etc/systemd/system/firewall.service with this content:
[Unit] Description=Iptables firewall Before=network.target Wants=network.target
[Service] Type=oneshot ExecStart=/usr/local/bin/firewall.start ExecStop=/usr/local/bin/firewall.stop RemainAfterExit=yes
[Install] WantedBy=multi-user.target
Now, when I run systemctl start firewall.service, I get this output: Job for firewall.service failed. See 'systemctl status firewall.service' and 'journalctl -xn' for details.
If I do systemctl status firewall.status, it gives me: firewall.status.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead)
journalctl -xn gives me this output: Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Starting Iptables firewall... -- Subject: Unit firewall.service has begun with start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit firewall.service has begun starting up. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[2268]: Failed at step EXEC spawning /usr/local/bin/firewall.start: Exec format error -- Subject: Process /usr/local/bin/firewall.start could not be executed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- The process /usr/local/bin/firewall.start could not be executed and failed. -- -- The error number returned while executing this process is 8. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: firewall.service: main process exited, code=exited, status=203/EXEC Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Failed to start Iptables firewall. -- Subject: Unit firewall.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit firewall.service has failed. -- -- The result is failed. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Unit firewall.service entered failed state.
Any ideas what is happening here?
Thanks, Neil
-- Neil Aggarwal, (972) 834-1565 We lend money to investors to buy or refinance single family rent houses. No origination fees, quick approval, no credit check.
Hey everyone:
The process /usr/local/bin/firewall.start could not be executed and failed.
I just realized I forgot to put #!/bin/sh at the top of my firewall scripts. I added that and it is working perfectly fine now.
Sorry for any trouble.
Thanks, Neil
-- Neil Aggarwal, (972) 834-1565 We lend money to investors to buy or refinance single family rent houses. No origination fees, quick approval, no credit check.
On 10.08.2014 05:30, Neil Aggarwal wrote:
Hey everyone:
The process /usr/local/bin/firewall.start could not be executed and failed.
I just realized I forgot to put #!/bin/sh at the top of my firewall scripts. I added that and it is working perfectly fine now.
Sorry for any trouble.
You might want to look into using the regular iptables service instead od custom firewall scripts. The service uses iptables-save and iptables-restore which are designed to install all iptables rules atomically. If you end up with a typo in your script you end up with a partially initialized firewall but iptables-restore first parses the entire rule set and doesn't touch the current rules at all if it finds an error making the process much more robust.
Regards, Dennis
On Sat, Aug 09, 2014 at 10:21:33PM -0500, Neil Aggarwal wrote:
Hello all:
I did a fresh install of CentOS 7 on a new machine.
I wrote /usr/local/bin/firewall.stop to remove all the firewall rules. It contains this code: # Flush the rules /usr/sbin/iptables -F
You are missing a first line: #!/bin/sh
Aug 10 06:09:38 jamm23.jammconsulting.com systemd[2268]: Failed at step EXEC spawning /usr/local/bin/firewall.start: Exec format error
And that's the error expected.
Try systemctl stop firewalld, I had to disable that too
Adam King IT Systems Administrator Skipton Girls High School 01756 707600 www.sghs.org.uk
----- Original Message ----- From: "Neil Aggarwal" neil@JAMMConsulting.com To: centos@centos.org Sent: Sunday, August 10, 2014 4:21:33 AM Subject: [CentOS] Centos 7 - iptables service failed to start
Hello all:
I did a fresh install of CentOS 7 on a new machine.
I wrote /usr/local/bin/firewall.stop to remove all the firewall rules. It contains this code: # Flush the rules /usr/sbin/iptables -F
# Set the default policies to accept /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -P FORWARD ACCEPT
I wrote /usr/local/bin/firewall.start to set the firewall rules. It contains this code: # IP definitions ETH0_IP=a.b.c.d
# Load the FTP conntrak module /usr/sbin/modprobe nf_conntrack_ftp
# Set the default policies to drop all packets /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P OUTPUT DROP /usr/sbin/iptables -P FORWARD DROP
# Flush any existing rules /usr/sbin/iptables -F
# Allow loopback traffic /usr/sbin/iptables -A INPUT -i lo -j ACCEPT /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Allow icmp protocol packets /usr/sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT /usr/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT
[ Additional allow rules here ]
If I run the firewall.start script manually, it sets the iptables rules correctly. If I run the firewall.stop script manually, it removes the iptables rules correctly.
The problem comes in when I am trying to execute this from systemd.
I wrote /etc/systemd/system/firewall.service with this content:
[Unit] Description=Iptables firewall Before=network.target Wants=network.target
[Service] Type=oneshot ExecStart=/usr/local/bin/firewall.start ExecStop=/usr/local/bin/firewall.stop RemainAfterExit=yes
[Install] WantedBy=multi-user.target
Now, when I run systemctl start firewall.service, I get this output: Job for firewall.service failed. See 'systemctl status firewall.service' and 'journalctl -xn' for details.
If I do systemctl status firewall.status, it gives me: firewall.status.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead)
journalctl -xn gives me this output: Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Starting Iptables firewall... -- Subject: Unit firewall.service has begun with start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit firewall.service has begun starting up. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[2268]: Failed at step EXEC spawning /usr/local/bin/firewall.start: Exec format error -- Subject: Process /usr/local/bin/firewall.start could not be executed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- The process /usr/local/bin/firewall.start could not be executed and failed. -- -- The error number returned while executing this process is 8. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: firewall.service: main process exited, code=exited, status=203/EXEC Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Failed to start Iptables firewall. -- Subject: Unit firewall.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit firewall.service has failed. -- -- The result is failed. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Unit firewall.service entered failed state.
Any ideas what is happening here?
Thanks, Neil
-- Neil Aggarwal, (972) 834-1565 We lend money to investors to buy or refinance single family rent houses. No origination fees, quick approval, no credit check.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Adam King -
Dennis Jacobfeuerborn -
Neil Aggarwal -
Stephen Harris