[CentOS] Question about rebooting and iptables rules persisting

Tue Mar 27 07:51:51 UTC 2007
Roy Ong <centos-list at royong.com>

well if you followed the thread you will realize that the original
poster said that he did indeed do an iptables save but that didn't help
in his case. furthermore i did clarify to say that

"its not the safest way, but heck, I'm hoping it will work for you"

i definitely AGREE that running the firewall rules till AFTER the system
+ services are up and running could be a potential hazard with a small
period of vulnerability (few seconds) but having no other choice, a
quick script to turn on the firewall rules at the very last is better
than running nothing at all ... well, there are 2 sides to a coin and i
definitely understand your concern, hence my little disclaimer within my
original reply.

On Tue, 2007-03-27 at 13:24 +0800, Feizhou wrote:
> Roy Ong wrote:
> > On Tue, 2007-03-27 at 08:22 +0800, Feizhou wrote:
> >> Preston Crawford wrote:
> >>>>> Does anyone know what is happening? I've tried iptables -save or
> >>>>> whatever.
> >>>>> Nothing seems to work in getting these ports to be open on reboot.
> >>>>>
> >>>> service iptables save
> >>> I did that and it doesn't help. Do you think it has to do with the order
> >>> in which things happen? i.e. smb starting up after iptables? It would seem
> >>> other people would have that problem, though, wouldn't they?
> >> Could you post the contents of /etc/sysconfig/iptables after a service 
> >> iptables save?
> > 
> > If guess if you are thinking that the order of starting up could be the
> > cause of it, the it might be easier if you do a simple hack as follows -
> > its not the safest way, but heck, I'm hoping it will work for you :)
> 
> Order of starting up has nothing do with it. I save my rules in exactly 
> the same way and my boxes come up with a set of rules just like what was 
> saved when i ran 'service iptables save'.
> 
> > 
> > 	# iptables -F
> > 	# iptables -Z
> > 	# service iptables save
> > 	# chkconfig iptables on
> > 
> > Put all your iptables rules into a script file
> > 	# vi /root/myfirewall.sh
> > 		#!/bin/bash
> > 		IPTABLES=/sbin/iptables
> > 		$IPTABLES -F
> > 		$IPTABLES -Z
> > 		$IPTABLES -A INPUT -s 192.168.1.1 -j ACCEPT
> > 			<or whatever needs to be done>
> > 			<save and exit>
> > 	# chmod 700 /root/myfirewall.sh
> > 
> > Add the script file into rc.local
> > 	# echo "/root/myfirewall.sh" >> /etc/rc.d/rc.local
> > 
> > Every time upon reboot, the rc.local file gets called right at the last
> > and in that sequence your /root/myfirewall.sh gets called just before
> > the system is ready to accept logins. All other services should have
> > been up and running long before the /root/myfirewall.sh gets called.
> 
> Ooh, wonderful. Feel free to move the turning on of firewall rules from 
> BEFORE the network is setup to WAY AFTER the network is setup. I, for 
> one, will do no such thing.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos