[CentOS] Centos 7 - iptables service failed to start

Mon Aug 11 11:39:44 UTC 2014
Adam King <kinga at sghs.org.uk>

Try systemctl stop firewalld, I had to disable that too

Adam King 
IT Systems Administrator 
Skipton Girls High School 
01756 707600 
www.sghs.org.uk 

----- Original Message -----
From: "Neil Aggarwal" <neil at JAMMConsulting.com>
To: centos at centos.org
Sent: Sunday, August 10, 2014 4:21:33 AM
Subject: [CentOS] Centos 7 - iptables service failed to start

Hello all:

I did a fresh install of CentOS 7 on a new machine.

I wrote /usr/local/bin/firewall.stop to remove all the firewall rules.
It contains this code:
# Flush the rules
/usr/sbin/iptables -F

# Set the default policies to accept
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT

I wrote /usr/local/bin/firewall.start to set the firewall rules.
It contains this code:
# IP definitions
ETH0_IP=a.b.c.d

# Load the FTP conntrak module
/usr/sbin/modprobe nf_conntrack_ftp 

# Set the default policies to drop all packets
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT DROP
/usr/sbin/iptables -P FORWARD DROP

# Flush any existing rules
/usr/sbin/iptables -F

# Allow loopback traffic
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Allow icmp protocol packets
/usr/sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT

[ Additional allow rules here ]

If I run the firewall.start script manually, it sets the iptables rules
correctly.
If I run the firewall.stop script manually, it removes the iptables rules
correctly.

The problem comes in when I am trying to execute this from systemd.

I wrote /etc/systemd/system/firewall.service with this content:

[Unit]
Description=Iptables firewall
Before=network.target
Wants=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/firewall.start
ExecStop=/usr/local/bin/firewall.stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Now, when I run systemctl start firewall.service, I get this output:
Job for firewall.service failed. See 'systemctl status firewall.service' and
'journalctl -xn' for details.

If I do systemctl status firewall.status, it gives me:
firewall.status.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

journalctl -xn gives me this output:
Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Starting Iptables
firewall...
-- Subject: Unit firewall.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit firewall.service has begun starting up.
Aug 10 06:09:38 jamm23.jammconsulting.com systemd[2268]: Failed at step EXEC
spawning /usr/local/bin/firewall.start: Exec format error
-- Subject: Process /usr/local/bin/firewall.start could not be executed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- The process /usr/local/bin/firewall.start could not be executed and
failed.
--
-- The error number returned while executing this process is 8.
Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: firewall.service: main
process exited, code=exited, status=203/EXEC
Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Failed to start
Iptables firewall.
-- Subject: Unit firewall.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit firewall.service has failed.
--
-- The result is failed.
Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Unit firewall.service
entered failed state.

Any ideas what is happening here?

Thanks,
  Neil

--
Neil Aggarwal, (972) 834-1565
We lend money to investors to buy or refinance single family rent houses.
No origination fees, quick approval, no credit check.



_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos