7

I have one single ipset added to my iptables on a CentOS 6.x box and this rule is lost when the machine reboots.

I've found this answer showing how to make a Ubuntu system reload the iptables rules after a reboot but this directory is not present on CentOS.

How do I make this CentOS box load the firewall rules after a reboot?

NOTE: Yes, I'm saving the rules using iptables save and the file is being saved.

This is what is inside /etc/sysconfig/iptables:

# Generated by iptables-save v1.4.7 on Mon Apr  8 09:52:59 2013
*filter
:INPUT ACCEPT [2713:308071]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1649:1766437]
-A INPUT -p tcp -m multiport --dports 25,587,465,110,143,993,995 -m state --state INVALID,NEW,RELATED,ESTABLISHED -m set
 --match-set blocking src -j DROP 
COMMIT
# Completed on Mon Apr  8 09:52:59 2013

the command shows -A INPUT but when I created it I have used -I INPUT.

The rule used to create this was:

iptables -I INPUT -p tcp -m multiport --dports 25,587,465,110,143,993,995 -m state --state NEW,ESTABLISHED,RELATED,INVALID -m set --set blocking src -j DROP
Community
  • 1
Duck
  • 4,434
  • 19
  • 51
  • 64
  • @Christopher, sounds similar to /etc/sysconfig/network-scripts/rule-* files. Does this ipset file contain definitions of ipset data structures or actual iptables rules? Example? – rjt Aug 12 '14 at 13:39

4 Answers4

2

I've had the same problem.

You have created a set with ipset called "blocking", however, I don't see where this set gets saved so you'd have to recreate it after ever reboot in a script I guess?

X Tian
  • 10,413
  • 2
  • 33
  • 48
M Johnson
  • 151
  • 6
2

You lost rules because:

After adding rules you have to do save before restart service or server. because when you add rule, they are in memory but after saving they will save in file and restore from that file at start-up.

So first You need to save added rules using:

$ /etc/init.d/iptables save

This will save all rules in /etc/sysconfig/iptables, then just enable the iptables service at start-up using:

$ chkconfig --level 53 iptables on

Method 2

To save rules:

$ /sbin/iptables-save  > /etc/iptables.rules

To restore rules [ Add Below entry in /etc/rc.local ]:

$ /sbin/iptables-restore < /etc/iptables.rule
slm
  • 363,520
  • 117
  • 767
  • 871
Rahul Patil
  • 24,281
  • 25
  • 80
  • 96
  • 1
    I did that and iptables loads when the system starts, but it loads empty. – Duck Apr 08 '13 at 08:52
  • have you checked `/etc/sysconfig/iptables` file ? – Rahul Patil Apr 08 '13 at 08:53
  • after adding rule just do `save ` which I mention above , then it will restore at start-up using `/etc/sysconfig/iptables` file – Rahul Patil Apr 08 '13 at 08:54
  • Yes, the file is saved correctly. This is something weird I discovered now: when I do *service iptables save* I see a message telling me that the rules were saved to /etc/sysconfig/iptables but when I do your command */etc/init.d/iptables save* the message tells me that the rules were saved to /etc/sysconfig/ipt. In other words, saved to a different file... why is that? – Duck Apr 08 '13 at 08:55
  • both are same `service iptables save` both refer same init file i.e `/etc/init.d/iptables` – Rahul Patil Apr 08 '13 at 08:56
  • so, we are back to square 1. The file is saved correctly but when the system starts iptables is loaded empty. – Duck Apr 08 '13 at 08:57
  • After adding rules you have to do save before restart service or server. because when you add rule, they are in memory but after saving they will save in file and restore from that file at start-up\ – Rahul Patil Apr 08 '13 at 09:00
  • yes, I know that. The rules are there saved to /etc/sysconfig/iptables but they are not being loaded. – Duck Apr 08 '13 at 09:03
  • check rule are added or not using `iptables -L -n -v` – Rahul Patil Apr 08 '13 at 09:04
  • if rule are listed , and not able to save then you can save it manually using `iptable-save >> /etc/sysconfig/iptables` – Rahul Patil Apr 08 '13 at 09:06
  • I have added more information to the question. – Duck Apr 08 '13 at 09:12
  • @DigitalRobot I have added another method for the same, also check iptables service is enable at startup using `chkconfig --list | grep iptables` and also check errors in logs – Rahul Patil Apr 08 '13 at 09:22
  • I have tried your methods. No change. iptables starts but does not load the rules. Apparently /etc/rc.local is not running either. What logs should I check for errors? – Duck Apr 08 '13 at 09:33
  • give me output of `chkconfig --list | grep iptables` – Rahul Patil Apr 08 '13 at 09:37
  • if issue not solve , then disable SElinux and check it again , refer this link for disable SElinux http://www.ehowstuff.com/how-to-check-and-disable-selinux-on-centos-6-3/ – Rahul Patil Apr 08 '13 at 09:38
  • iptables 0:no 1:no 2:yes 3:yes 4:yes 5:yes 6:no and SELinux status: disabled – Duck Apr 08 '13 at 09:44
  • seems fine with rule level, have you disabled SElinux and checked ? , you must reboot system after disable SElinux – Rahul Patil Apr 08 '13 at 09:45
  • SELinux status: disabled I have not disabled it. It was already disabled. – Duck Apr 08 '13 at 09:45
  • Sorry for late reply , Is your issue solve ? if not just let me know your Rule is restored or not using `/sbin/iptables-restore < /etc/iptables.rule` – Rahul Patil Apr 10 '13 at 04:01
  • 1
    nope. The rules are not reloaded after boot. I solved that temporarily by created a crontab that runs a bash script that tests if there are any rules loaded and loads them in not. It is a lame solution, but it is working until I discover a real solution. Thanks. – Duck Apr 10 '13 at 06:10
  • @DigitalRobot Recently I uninstall CentOs6 and Install CentOs5.9 for better stability , and avoid new issues[I wast 1 hour for mysql password recovery because of CentOs6, I think 6 series not ready for production] – Rahul Patil Apr 10 '13 at 07:28
  • This is the only problem with 6 I had so far. I will keep an eye. – Duck Apr 10 '13 at 07:29
  • The file is clearly already saved as proven in the question itself "This is what is inside /etc/sysconfig/iptables" , the problem is with ipset. When iptables restores from a file but that file contains unknown ipset sets, no iptables are restored at all. – rjt Aug 12 '14 at 14:00
1

Just noticed the same issue on Centos 6.4.

I've just put @reboot /etc/init.d/iptables restart in the crontab and it works.

slm
  • 363,520
  • 117
  • 767
  • 871
k4h
  • 11
  • 1
0

I sent an email to Host Gator and I finally got a response from a Linux Administrator at Host Gator:

Hello there!

HostGator has built a custom firewall that's in place by default on all VPS and dedicated server plans.

Luckliy, there is a file in the firewall configuration that is meant to persist iptables configurations.

The file is this: /etc/firewall/INCLUDE

Just add your iptables lines to that file, and restart the firewall with service firewall restart. The iptables rules will persist.

Actually, I've gone ahead and added those lines to the file, so your iptables rules should load and persist now.

Please don't hesitate to follow up if you have any more questions or concerns

Community
  • 1
ConfusedDeer
  • 101
  • 2