iptables disabled in chkconfig but starting on its own

Support for security such as Firewalls and securing linux
Post Reply
jkoral
Posts: 2
Joined: 2017/08/28 20:00:05

iptables disabled in chkconfig but starting on its own

Post by jkoral » 2017/08/28 20:19:07

I run a Cloudera cluster and have iptables disabled on the out-of-band servers, but for some reason the iptables daemon starts without rules.

Here is a little more info. I am running CentOS 6.9 in Runlevel 3:
-I have turned iptables off in chkconfig -- chkconfig iptables off
-I have turned iptables off in the live session -- service iptables stop
-When I check the status of iptables -- service iptables status, I get iptables: Firewall is not running.

That is all great, but then later (Not sure if it is a day later or a week later, but it is definitely not an hour later) when I check the status of iptables, I get:

Code: Select all

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination 
This indicates to me that the firewall is started, but without the rules. Is that correct? When I run service iptables stop, I get:

Code: Select all

iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
Then the status goes back to Firewall is not running. This may or may not be causing problems with the cluster, but either way, I want to know why the daemon seems to be starting on its own.

Thanks for any help you can provide.

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: iptables disabled in chkconfig but starting on its own

Post by Whoever » 2017/08/29 01:57:31

jkoral wrote:

Code: Select all

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination 
iptables doesn't really start a service (by which I mean a running user-space program).

What iptables does is set up the netfilter rules in the running kernel.

What you show above is the default state of the tables when no rules are defined. In other words, the default state when the iptables "service" is stopped.

Post Reply