After years of not doing anything related to security, despite having a degree in it, I decided it's time to get back into things. One of the things I want to learn that I haven't in the past is iptables. I know firewalld is used with CentOS 7, but before learning that I want to get iptables down.
For some reason, whenever I reboot, rules somehow get appended to the chain. Even /etc/sysconfig/iptables is modified, but the rules I've entered still remain as well. Why is this happening?
Let me give an example:
First, I've made sure to disable firewalld. I've checked, and that looks good:
Code: Select all
[root@localhost test]# systemctl status firewalld
firewalld.service
Loaded: masked (/dev/null)
Active: inactive (dead)
Code: Select all
[root@localhost test]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2017-01-26 22:15:54 EST; 8min ago
Process: 913 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 913 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/iptables.service
Jan 26 22:15:55 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
Jan 26 22:15:54 localhost.localdomain iptables.init[913]: iptables: Applying firewall rules: [ OK ]
Jan 26 22:15:54 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.
Code: Select all
# iptables test config
# updated 1-26-2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -p tcp -s 123.123.123.69 --dport 22 -j REJECT #test to see if persist
-A INPUT -p tcp -s 192.168.3.2 --dport 22 -j ACCEPT #ssh from host ip
-A INPUT -p tcp --dport 22 -j REJECT #block ssh from everyone else
COMMIT
A current check to make sure everything looks normal:
Code: Select all
[root@localhost test]# iptables -L -v
Chain INPUT (policy ACCEPT 15 packets, 1121 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT tcp -- any any 123.123.123.69 anywhere tcp dpt:ssh reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- any any 192.168.3.2 anywhere tcp dpt:ssh
0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 143 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any lo anywhere anywhere
If I do a "service iptables save", it doesn't change what's currently loaded in memory, but it adds a ton of rules and whatnot, in addition to the one's I've already created. Notice how the 123.123 fake address I put in there is towards the top of the output.
Code: Select all
[root@localhost test]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Thu Jan 26 22:52:55 2017
*filter
:INPUT ACCEPT [6:393]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:143]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 123.123.123.69/32 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.3.2/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Thu Jan 26 22:52:55 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 22:52:55 2017
*raw
:PREROUTING ACCEPT [727:49519]
:OUTPUT ACCEPT [126:12156]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Jan 26 22:52:55 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 22:52:55 2017
*security
:INPUT ACCEPT [727:49519]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [126:12156]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Jan 26 22:52:55 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 22:52:55 2017
*mangle
:PREROUTING ACCEPT [676:43582]
:INPUT ACCEPT [676:43582]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [77:6868]
:POSTROUTING ACCEPT [86:8651]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Jan 26 22:52:55 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 22:52:55 2017
*nat
:PREROUTING ACCEPT [68:8013]
:INPUT ACCEPT [68:8013]
:OUTPUT ACCEPT [67:5166]
:POSTROUTING ACCEPT [67:5166]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Jan 26 22:52:55 2017
If I do not do a "service iptables save", and just leave the contents of what's loaded into memory as well as etc/sysconfig/iptables alone and correct, it gets modified to the following. notice this time, the 123.123 rule is towards the bottom of the output.
Code: Select all
[root@localhost test]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Thu Jan 26 23:03:57 2017
*nat
:PREROUTING ACCEPT [29:3228]
:INPUT ACCEPT [29:3228]
:OUTPUT ACCEPT [45:3830]
:POSTROUTING ACCEPT [45:3830]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Jan 26 23:03:57 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 23:03:57 2017
*mangle
:PREROUTING ACCEPT [300:21003]
:INPUT ACCEPT [300:21003]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [56:5593]
:POSTROUTING ACCEPT [67:7968]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Jan 26 23:03:57 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 23:03:57 2017
*security
:INPUT ACCEPT [351:26940]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [105:10881]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Jan 26 23:03:57 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 23:03:57 2017
*raw
:PREROUTING ACCEPT [351:26940]
:OUTPUT ACCEPT [105:10881]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Jan 26 23:03:57 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 23:03:57 2017
*filter
:INPUT ACCEPT [25:1932]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:1119]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 123.123.123.69/32 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.3.2/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Thu Jan 26 23:03:57 2017
Code: Select all
[root@localhost test]# iptables -L -v
Chain INPUT (policy ACCEPT 220 packets, 15473 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:domain
0 0 ACCEPT udp -- virbr0 any anywhere anywhere udp dpt:bootps
0 0 ACCEPT tcp -- virbr0 any anywhere anywhere tcp dpt:bootps
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 REJECT tcp -- any any 123.123.123.69 anywhere tcp dpt:ssh reject-with icmp-port-unreachable
0 0 ACCEPT tcp -- any any 192.168.3.2 anywhere tcp dpt:ssh
0 0 REJECT tcp -- any any anywhere anywhere tcp dpt:ssh reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 38 packets, 3883 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any virbr0 anywhere anywhere udp dpt:bootpc
0 0 ACCEPT all -- any lo anywhere anywhere
So my real question is, why are rules being appended to the ones I've added after reboot, and where are they coming from? And why is /etc/sysconfig/iptables being modifed? Somewhere, I don't think I'm understanding something correctly.