iptables rules get deleted...

Hi,
I'm setting up a RedHat 8.0 box on the network with a static
address. It is a relatively uncustomized box other than running some
security updates and turning off unwanted services. I need to run
portmap, which is why I need to filter network access. I've created a
set of iptables rules, loaded them and saved them into
/etc/sysconfig/iptables using iptables-save. It's a simple setup-- no
NAT/masq, etc, just a simple port filter. I've tested it and it does
what I want. I go home and come back in the morning and run iptables
-L. All my rules are gone. I can reload the rules from
/etc/sysconfig/iptables, but its hard to convince my boss that a port
filter that deletes its own rules is a good thing. Is RedHat trying to
"help" me ala Windows? Is there some daemon that doesn't like my rule
set? I did not have this problem in RedHat 7.2. Thanks for any ideas.

Paul M.

Dans sa prose, Paul M. nous ecrivait :
> I'm setting up a RedHat 8.0 box on the network with a static
> address. It is a relatively uncustomized box other than running some
> security updates and turning off unwanted services. I need to run
> portmap, which is why I need to filter network access. I've created a
> set of iptables rules, loaded them and saved them into
> /etc/sysconfig/iptables using iptables-save. It's a simple setup-- no
> NAT/masq, etc, just a simple port filter. I've tested it and it does
> what I want. I go home and come back in the morning and run iptables -L.
> All my rules are gone.

Has the box been rebooted during the night ? If so, check your startup
scripts, iptables rules loading must be missing.

--
RG -Ben, non, en français, pas de points de suspension après un etc.,
c'est une redondance pour dire deux fois la même répétition...
CC -Moi j'aime bien la redondance qui dit 2 fois la même répétition.
-+- RG & CC in GNU : On n'efface rien et on recommence -+-

I had a similar problem with RH8. It was because iptables wasn't actually
loading as a service so I simply wgetted the latest iptables RPM from
rpmfind.net and installed that.

Then, load your tables from before and:

iptables-save
service iptables save
service iptables restart

Hopefully that should now load it all up on boot.
--

"Paul M." <paul.marquardt@mortgagefamily.com> wrote in message
news:f2137556.0306240412.131d53b3@posting.google.c om...
> Hi,
> I'm setting up a RedHat 8.0 box on the network with a static
> address. It is a relatively uncustomized box other than running some
> security updates and turning off unwanted services. I need to run
> portmap, which is why I need to filter network access. I've created a
> set of iptables rules, loaded them and saved them into
> /etc/sysconfig/iptables using iptables-save. It's a simple setup-- no
> NAT/masq, etc, just a simple port filter. I've tested it and it does
> what I want. I go home and come back in the morning and run iptables
> -L. All my rules are gone. I can reload the rules from
> /etc/sysconfig/iptables, but its hard to convince my boss that a port
> filter that deletes its own rules is a good thing. Is RedHat trying to
> "help" me ala Windows? Is there some daemon that doesn't like my rule
> set? I did not have this problem in RedHat 7.2. Thanks for any ideas.
>
> Paul M.

"Paul M." <paul.marquardt@mortgagefamily.com> wrote in message
news:f2137556.0306240412.131d53b3@posting.google.c om...
> Hi,
> I'm setting up a RedHat 8.0 box on the network with a static
> address. It is a relatively uncustomized box other than running some
> security updates and turning off unwanted services. I need to run
> portmap, which is why I need to filter network access. I've created a
> set of iptables rules, loaded them and saved them into
> /etc/sysconfig/iptables using iptables-save. It's a simple setup-- no
> NAT/masq, etc, just a simple port filter. I've tested it and it does
> what I want. I go home and come back in the morning and run iptables
> -L. All my rules are gone. I can reload the rules from
> /etc/sysconfig/iptables, but its hard to convince my boss that a port
> filter that deletes its own rules is a good thing. Is RedHat trying to
> "help" me ala Windows? Is there some daemon that doesn't like my rule
> set? I did not have this problem in RedHat 7.2. Thanks for any ideas.
>
> Paul M.

Put this script in your /etc/init.d directory under the name iptables (as
root)
then run
chmod u=rwx,g=rwx,o=x /etc/init.d/iptables
chkconfig --add iptables

and it will load everytime the system is booted

The only thing I have changed from the original is the addition of the -n
option to the status section
You will also find the linux firewall module of webmin makes
creating/editing/deleting/ordering rules using iptables-save and
iptables-restore VERY easy.

#!/bin/sh
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author: Joshua Jensen <joshua@redhat.com>
# -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#
# config: /etc/sysconfig/iptables

# Source 'em up
.. /etc/init.d/functions

IPTABLES_CONFIG=/etc/sysconfig/iptables

if [ ! -x /sbin/iptables ]; then
exit 0
fi

KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then
exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
exit 0
fi



if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
exit 0
fi

iftable() {
if fgrep -qsx $1 /proc/net/ip_tables_names; then
iptables -t "$@"
fi
}

start() {
# don't do squat if we don't have the config file
if [ -f $IPTABLES_CONFIG ]; then
# If we don't clear these first, we might be adding to
# pre-existing rules.
action $"Flushing all current rules and user defined chains:"
iptables -F
action $"Clearing all current rules and user defined chains:"
iptables -X
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success $"Flushing all current rules and user defined chains:"
|| \
failure $"Flushing all current rules and user defined chains:"
for i in $chains; do iptables -t $i -X; done && \
success $"Clearing all current rules and user defined chains:"
|| \
failure $"Clearing all current rules and user defined chains:"

for i in $chains; do iptables -t $i -Z; done

echo $"Applying iptables firewall rules: "
grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' |
/sbin/iptables-restore -c && \
success $"Applying iptables firewall rules" || \
failure $"Applying iptables firewall rules"
echo
touch /var/lock/subsys/iptables
fi
}

stop() {
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
for i in $chains; do iptables -t $i -X; done && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
echo -n $"Resetting built-in chains to the default ACCEPT policy:"
iftable filter -P INPUT ACCEPT && \
iftable filter -P OUTPUT ACCEPT && \
iftable filter -P FORWARD ACCEPT && \
iftable nat -P PREROUTING ACCEPT && \
iftable nat -P POSTROUTING ACCEPT && \
iftable nat -P OUTPUT ACCEPT && \
iftable mangle -P PREROUTING ACCEPT && \
iftable mangle -P OUTPUT ACCEPT && \
success $"Resetting built-in chains to the default ACCEPT policy" || \
failure $"Resetting built-in chains to the default ACCEPT policy"
echo
rm -f /var/lock/subsys/iptables
}

case "$1" in
start)
start
;;

stop)
stop
;;

restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
start
;;

condrestart)
[ -e /var/lock/subsys/iptables ] && start
;;

status)
tables=`cat /proc/net/ip_tables_names 2>/dev/null`
for table in $tables; do
echo $"Table: $table"
iptables -n -t $table --list
done
;;

panic)
echo -n $"Changing target policies to DROP: "
iftable filter -P INPUT DROP && \
iftable filter -P FORWARD DROP && \
iftable filter -P OUTPUT DROP && \
iftable nat -P PREROUTING DROP && \
iftable nat -P POSTROUTING DROP && \
iftable nat -P OUTPUT DROP && \
iftable mangle -P PREROUTING DROP && \
iftable mangle -P OUTPUT DROP && \
success $"Changing target policies to DROP" || \
failure $"Changing target policies to DROP"
echo
iftable filter -F INPUT && \
iftable filter -F FORWARD && \
iftable filter -F OUTPUT && \
iftable nat -F PREROUTING && \
iftable nat -F POSTROUTING && \
iftable nat -F OUTPUT && \
iftable mangle -F PREROUTING && \
iftable mangle -F OUTPUT && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
iftable filter -X INPUT && \
iftable filter -X FORWARD && \
iftable filter -X OUTPUT && \
iftable nat -X PREROUTING && \
iftable nat -X POSTROUTING && \
iftable nat -X OUTPUT && \
iftable mangle -X PREROUTING && \
iftable mangle -X OUTPUT && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
;;

save)
echo -n $"Saving current rules to $IPTABLES_CONFIG: "
touch $IPTABLES_CONFIG
chmod 600 $IPTABLES_CONFIG
/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
success $"Saving current rules to $IPTABLES_CONFIG" || \
failure $"Saving current rules to $IPTABLES_CONFIG"
echo
;;

*)
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save} "
exit 1
esac

exit 0