On 03/30/2012 10:53 AM, Les Mikesell wrote: > What is different about the initial startup of iptables than 'service > iptables restart' (and different from C5)? I want to use iptables > port redirection to send port 80 to 8080 so a java web service doesn't > have to start as root. On C5 it worked to give the iptables > commmands, then 'iptables save', and from then on it would > automatically work when iptables started after a reboot. With C6, I > have the expected entries in /etc/sysconfig/iptables and they are > loaded after 'service iptables restart', but the initial startup is > doing something else. > There is a bug that has been around for years in iptables. I'm not sure if it's a timing problem or what, but I've seen it in fedora, centos, and ubuntu where certain rules appear not to work when configured inititally. I've even dumped out the running iptables list after it was restarted and diffed it with the saved one and the rules are all there. It may be specific to NAT or possibly related to an interaction between NAT and connection tracking. Somewhere I remember seeing this problem documentated as a known bug in iptables. There are a few bugs listed in: http://bugzilla.netfilter.org/buglist.cgi?quicksearch=nat , though I'm not sure if any of them quite describes this problem. Nataraj