On Tue, 13 Sep 2016, TE Dukes wrote: > > >> -----Original Message----- >> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On >> Behalf Of John R Pierce >> Sent: Sunday, September 11, 2016 10:44 PM >> To: centos at centos.org >> Subject: Re: [CentOS] Iptables not save rules >> >> On 9/11/2016 8:55 AM, TE Dukes wrote: >>> I have been using ipset to blacklist badbots. Works like a champ! >>> >>> The only problem is if I do a system reboot, I lose the ipset and the > rule. >>> >>> I changed /etc/sysconfig/iptables.conf to: >>> >>> IPTABLES_SAVE_ON_RESTART="yes" >>> IPTABLES_SAVE_ON_STOP="yes" >>> >>> And followed the instructions in: >>> >>> https://www.centos.org/forums/viewtopic.php?t=3853 >>> >>> The changes are still not saved. >> >> wild guess says, you need to ... >> >> chkconfig on ipset >> service ipset start >> >> and when you change ipset stuff, >> >> service ipset save >> >> >> but I'm just guessing, I've never used ipsets. >> >> >> -- >> john r pierce, recycling bits in santa cruz > [Thomas E Dukes] > THANKS!! > > I did not realize ipset was running as a service. > > Been trying figure out what was wrong for a couple weeks. > > Only way to know is to do a reboot and see what happens. Ipset save xxxxxx > apparently doesn't really do anything. > > Thanks, again!! > John R Pierce's wild guesses are exactly right. ipset is NOT running as a "traditional" service, however: service ipset start|stop|save load and save ipsets for you automagically. Notice that it's "service ipset save" not "ipset save xxxx" as you had typed. Finally, and this is a bit of a corner case, but "service ipset save" won't work if you don't have the "ip_set" kernel module loaded, that is if your environment has the kernel modules compiled in to the kernel. See lines 123 and 124 of /etc/rc.d/init.d/ipset Easiest thing for me is to just comment out those two lines, however I need to remember to comment them out again when the ipset rpm is updated.