[CentOS] iptables starting while disabled

Peter Farrell peter.d.farrell at gmail.com
Tue Jun 10 06:43:56 UTC 2008


I'm really not sure - it's a control script for setting the security policy
of SE Linux I believe. It may control basic firewall settings as well.

You originally said that you wanted IPtables off. Even if your SE
Linux policy is set to
'enforcing' you should still be able to shut down your firewall with:
# service iptables stop
and check the to make sure with:
# iptables -L -n

I think that by default, SE Linux is turned on and set up with a
usable security policy from CentOS 4.6 onwards.
Perhaps even earlier. I'm not at all versed in SE Linux, I usually
disable it for everything other than my DMZ machines
because it's been such an absolute pain in the ass to manage.
They've got much better management tools now and if you do a bit of
RTFM'ing you should be able to
find a way to tail your logs, see whats being affected, and add that
to the policy to 'enable' it.
*there are more elegant ways of doing this - but this is the 'SE Linux
101' method.

Aside from that, your only other option is to disable it. i would try
to learn a bit more about it and use it as it's intended.
It's here to stay and will be included in most distros from here on
out - so we should get used to it!

You can disable the 'enforcing' at boot or change the flag in the
config file somewhere under /etc/selinux as I recall.

-Peter


2008/6/10 Joseph L. Casale <JCasale at activenetwerx.com>:
>>I'm not sure as it relates specifically to XEN - but I would have a
>>look through the /etc/rc.d
>>directory. If it's not being turned on there, 'egrep -i iptables'
>>/etc/init.d/* and see if it's in any startup script there.
>>Slim chance they may be something in rc.local as well.
>>
>>-Peter
>
> Peter,
> Arghh, system-config-securitylevel had "security" enabled. So what does that do
> to start iptables? That was a lot of wasted time :)
>
> jlc
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>



More information about the CentOS mailing list