[CentOS] Iptables not save rules

Mike mike at microdel.org
Tue Sep 13 16:04:47 UTC 2016 

On Tue, 13 Sep 2016, TE Dukes wrote:

>
>
>> -----Original Message-----
>> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
>> Behalf Of John R Pierce
>> Sent: Sunday, September 11, 2016 10:44 PM
>> To: centos at centos.org
>> Subject: Re: [CentOS] Iptables not save rules
>>
>> On 9/11/2016 8:55 AM, TE Dukes wrote:
>>> I have been using ipset to blacklist badbots. Works like a champ!
>>>
>>> The only problem is if I do a  system reboot, I lose the ipset and the
> rule.
>>>
>>> I changed /etc/sysconfig/iptables.conf to:
>>>
>>> IPTABLES_SAVE_ON_RESTART="yes"
>>> IPTABLES_SAVE_ON_STOP="yes"
>>>
>>> And followed the instructions in:
>>>
>>> https://www.centos.org/forums/viewtopic.php?t=3853
>>>
>>> The changes are still not saved.
>>
>> wild guess says, you need to ...
>>
>>      chkconfig on ipset
>>      service ipset start
>>
>> and when you change ipset stuff,
>>
>>      service ipset save
>>
>>
>> but I'm just guessing, I've never used ipsets.
>>
>>
>> --
>> john r pierce, recycling bits in santa cruz
> [Thomas E Dukes]
> THANKS!!
>
> I did not realize ipset was running as a service.
>
> Been trying figure out what was wrong for a couple weeks.
>
> Only way to know is to do a reboot and see what happens. Ipset save xxxxxx
> apparently doesn't really do anything.
>
> Thanks, again!!
>

John R Pierce's wild guesses are exactly right.

ipset is NOT running as a "traditional" service, however:

    service ipset start|stop|save

load and save ipsets for you automagically.

Notice that it's "service ipset save" not "ipset save xxxx" as you had 
typed.

Finally, and this is a bit of a corner case, but "service ipset save" 
won't work if you don't have the "ip_set" kernel module loaded, that is 
if your environment has the kernel modules compiled in to the kernel.  See 
lines 123 and 124 of /etc/rc.d/init.d/ipset

Easiest thing for me is to just comment out those two lines, however I 
need to remember to comment them out again when the ipset rpm is updated.

More information about the CentOS mailing list