iptables.service on boot: Applying firewall rules: iptables-restore: line 33 failed

[clintonskakun]

Having a strange problem with iptables-restore throwing an error during boot. I get this when checking systemctl status iptables I get a "failed" status.

The odd thing is when I manually systemctl restart iptables(systemctl restart iptables) it works fine. I also tried stopping and starting it to see if that reproduces the error but nope. When I do iptables-restore < /etc/sysconfig/iptables (also tried /etc/sysconfig/iptables.save) it works without giving the error and iptables -S shows as my latest changes.

This is a liability for my setup since I'll have to remember to restart iptables every time I reboot.

Output from journalctl -u iptables:

Code: Select all

jul 18 19:58:52 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
jul 18 19:58:55 localhost.localdomain iptables.init[667]: iptables: Applying firewall rules: iptables-restore: line 33 failed
jul 18 19:58:55 localhost.localdomain iptables.init[667]: [FAILED]
jul 18 19:58:55 localhost.localdomain systemd[1]: iptables.service: main process exited, code=exited, status=1/FAILURE
jul 18 19:58:55 localhost.localdomain systemd[1]: Failed to start IPv4 firewall with iptables.
jul 18 19:58:55 localhost.localdomain systemd[1]: Unit iptables.service entered failed state.
jul 18 19:58:55 localhost.localdomain systemd[1]: iptables.service failed.

cat /etc/sysconfig/iptables

Code: Select all

# Generated by iptables-save v1.4.21 on Tue Jul 18 19:57:30 2017
*mangle
:PREROUTING ACCEPT [131724:380118521]
:INPUT ACCEPT [131678:380115497]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [131645:380550785]
:POSTROUTING ACCEPT [131645:380550785]
COMMIT
# Completed on Tue Jul 18 19:57:30 2017
# Generated by iptables-save v1.4.21 on Tue Jul 18 19:57:30 2017
*nat
:PREROUTING ACCEPT [340:19640]
:INPUT ACCEPT [226:13544]
:OUTPUT ACCEPT [662:46300]
:POSTROUTING ACCEPT [662:46300]
COMMIT
# Completed on Tue Jul 18 19:57:30 2017
# Generated by iptables-save v1.4.21 on Tue Jul 18 19:57:30 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [80:8481]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 216.171.233.54/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s 216.171.233.54/32 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 216.171.233.54/32 -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -s 216.171.233.54/32 -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -s 216.171.233.54/32 -p tcp -m tcp --dport 6379 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Tue Jul 18 19:57:30 2017

Hope someone out there can help me with this. I'm stumped!

[TrevorH]

Moved post from CentOS 6 to 7 as "systemd" shows it must be 7.

[guohao.wang]

did you try re-save the iptables rules again ?