[CentOS] Question about rebooting and iptables rules persisting

Roy Ong centos-list at royong.com
Tue Mar 27 07:51:51 UTC 2007 

well if you followed the thread you will realize that the original
poster said that he did indeed do an iptables save but that didn't help
in his case. furthermore i did clarify to say that

"its not the safest way, but heck, I'm hoping it will work for you"

i definitely AGREE that running the firewall rules till AFTER the system
+ services are up and running could be a potential hazard with a small
period of vulnerability (few seconds) but having no other choice, a
quick script to turn on the firewall rules at the very last is better
than running nothing at all ... well, there are 2 sides to a coin and i
definitely understand your concern, hence my little disclaimer within my
original reply.

On Tue, 2007-03-27 at 13:24 +0800, Feizhou wrote:
> Roy Ong wrote:
> > On Tue, 2007-03-27 at 08:22 +0800, Feizhou wrote:
> >> Preston Crawford wrote:
> >>>>> Does anyone know what is happening? I've tried iptables -save or
> >>>>> whatever.
> >>>>> Nothing seems to work in getting these ports to be open on reboot.
> >>>>>
> >>>> service iptables save
> >>> I did that and it doesn't help. Do you think it has to do with the order
> >>> in which things happen? i.e. smb starting up after iptables? It would seem
> >>> other people would have that problem, though, wouldn't they?
> >> Could you post the contents of /etc/sysconfig/iptables after a service 
> >> iptables save?
> > 
> > If guess if you are thinking that the order of starting up could be the
> > cause of it, the it might be easier if you do a simple hack as follows -
> > its not the safest way, but heck, I'm hoping it will work for you :)
> 
> Order of starting up has nothing do with it. I save my rules in exactly 
> the same way and my boxes come up with a set of rules just like what was 
> saved when i ran 'service iptables save'.
> 
> > 
> > 	# iptables -F
> > 	# iptables -Z
> > 	# service iptables save
> > 	# chkconfig iptables on
> > 
> > Put all your iptables rules into a script file
> > 	# vi /root/myfirewall.sh
> > 		#!/bin/bash
> > 		IPTABLES=/sbin/iptables
> > 		$IPTABLES -F
> > 		$IPTABLES -Z
> > 		$IPTABLES -A INPUT -s 192.168.1.1 -j ACCEPT
> > 			<or whatever needs to be done>
> > 			<save and exit>
> > 	# chmod 700 /root/myfirewall.sh
> > 
> > Add the script file into rc.local
> > 	# echo "/root/myfirewall.sh" >> /etc/rc.d/rc.local
> > 
> > Every time upon reboot, the rc.local file gets called right at the last
> > and in that sequence your /root/myfirewall.sh gets called just before
> > the system is ready to accept logins. All other services should have
> > been up and running long before the /root/myfirewall.sh gets called.
> 
> Ooh, wonderful. Feel free to move the turning on of firewall rules from 
> BEFORE the network is setup to WAY AFTER the network is setup. I, for 
> one, will do no such thing.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list