What is different about the initial startup of iptables than 'service iptables restart' (and different from C5)? I want to use iptables port redirection to send port 80 to 8080 so a java web service doesn't have to start as root. On C5 it worked to give the iptables commmands, then 'iptables save', and from then on it would automatically work when iptables started after a reboot. With C6, I have the expected entries in /etc/sysconfig/iptables and they are loaded after 'service iptables restart', but the initial startup is doing something else.
On 03/30/2012 10:53 AM, Les Mikesell wrote:
What is different about the initial startup of iptables than 'service iptables restart' (and different from C5)? I want to use iptables port redirection to send port 80 to 8080 so a java web service doesn't have to start as root. On C5 it worked to give the iptables commmands, then 'iptables save', and from then on it would automatically work when iptables started after a reboot. With C6, I have the expected entries in /etc/sysconfig/iptables and they are loaded after 'service iptables restart', but the initial startup is doing something else.
There is a bug that has been around for years in iptables. I'm not sure if it's a timing problem or what, but I've seen it in fedora, centos, and ubuntu where certain rules appear not to work when configured inititally. I've even dumped out the running iptables list after it was restarted and diffed it with the saved one and the rules are all there. It may be specific to NAT or possibly related to an interaction between NAT and connection tracking. Somewhere I remember seeing this problem documentated as a known bug in iptables. There are a few bugs listed in: http://bugzilla.netfilter.org/buglist.cgi?quicksearch=nat , though I'm not sure if any of them quite describes this problem.
Nataraj
2012/3/30 Les Mikesell lesmikesell@gmail.com:
What is different about the initial startup of iptables than 'service iptables restart' (and different from C5)? I want to use iptables port redirection to send port 80 to 8080 so a java web service doesn't have to start as root. On C5 it worked to give the iptables commmands, then 'iptables save', and from then on it would automatically work when iptables started after a reboot. With C6, I have the expected entries in /etc/sysconfig/iptables and they are loaded after 'service iptables restart', but the initial startup is doing something else.
You should use mod_proxy instead of iptables redirect? or use authbind? (http://en.wikipedia.org/wiki/Authbind)
-- Eero
On Sun, Apr 1, 2012 at 12:43 PM, Eero Volotinen eero.volotinen@iki.fi wrote:
2012/3/30 Les Mikesell lesmikesell@gmail.com:
What is different about the initial startup of iptables than 'service iptables restart' (and different from C5)? I want to use iptables port redirection to send port 80 to 8080 so a java web service doesn't have to start as root. On C5 it worked to give the iptables commmands, then 'iptables save', and from then on it would automatically work when iptables started after a reboot. With C6, I have the expected entries in /etc/sysconfig/iptables and they are loaded after 'service iptables restart', but the initial startup is doing something else.
You should use mod_proxy instead of iptables redirect? or use authbind? (http://en.wikipedia.org/wiki/Authbind)
The iptables redirect works fine once the commands are loaded. My problem is just that the boot-time startup isn't loading the saved state from /etc/sysconfig/iptables, but a subsequent 'service iptables restart' does - and it is something new in 6.x.
On 04/02/2012 05:07 PM, Les Mikesell wrote:
On Sun, Apr 1, 2012 at 12:43 PM, Eero Volotinen eero.volotinen@iki.fi wrote:
2012/3/30 Les Mikesell lesmikesell@gmail.com:
What is different about the initial startup of iptables than 'service iptables restart' (and different from C5)? I want to use iptables port redirection to send port 80 to 8080 so a java web service doesn't have to start as root. On C5 it worked to give the iptables commmands, then 'iptables save', and from then on it would automatically work when iptables started after a reboot. With C6, I have the expected entries in /etc/sysconfig/iptables and they are loaded after 'service iptables restart', but the initial startup is doing something else.
You should use mod_proxy instead of iptables redirect? or use authbind? (http://en.wikipedia.org/wiki/Authbind)
The iptables redirect works fine once the commands are loaded. My problem is just that the boot-time startup isn't loading the saved state from /etc/sysconfig/iptables, but a subsequent 'service iptables restart' does - and it is something new in 6.x.
Did you make sure that the service is active and that the iptables service is actually startet on bootup?
Try "chkconfig --list iptables" to see if it is active and "chkconfig iptables on" to activate it.
Regards, Dennis
On Tue, Apr 3, 2012 at 5:54 AM, Dennis Jacobfeuerborn dennisml@conversis.de wrote:
The iptables redirect works fine once the commands are loaded. My problem is just that the boot-time startup isn't loading the saved state from /etc/sysconfig/iptables, but a subsequent 'service iptables restart' does - and it is something new in 6.x.
Did you make sure that the service is active and that the iptables service is actually startet on bootup?
Try "chkconfig --list iptables" to see if it is active and "chkconfig iptables on" to activate it.
Yes, it does start, but the initial rules don't include the port redirection in the nat table.
On 04/03/2012 05:25 AM, Les Mikesell wrote:
On Tue, Apr 3, 2012 at 5:54 AM, Dennis Jacobfeuerborn dennisml@conversis.de wrote:
The iptables redirect works fine once the commands are loaded. My problem is just that the boot-time startup isn't loading the saved state from /etc/sysconfig/iptables, but a subsequent 'service iptables restart' does - and it is something new in 6.x.
Did you make sure that the service is active and that the iptables service is actually startet on bootup?
Try "chkconfig --list iptables" to see if it is active and "chkconfig iptables on" to activate it.
Yes, it does start, but the initial rules don't include the port redirection in the nat table.
I still think it's a timing problem. Have you checked to see that the proper NAT module is loaded in the kernel at the time when the iptables rules are loaded? At least for diagnostic purposes I would try adding a delay in the startup. You might even find that adding an lsmod into the startup sequence (for diagnostic purposes) there would fix the problem. I have not had a chance to look at the scripts that do this in CentOS 6.
Nataraj
-
Dennis Jacobfeuerborn -
Eero Volotinen -
Les Mikesell -
Nataraj