iptables - rules being added after reboot

XpL0d3r · Post by **XpL0d3r** » 2017/01/27 04:18:01

Hi everyone,

After years of not doing anything related to security, despite having a degree in it, I decided it's time to get back into things. One of the things I want to learn that I haven't in the past is iptables. I know firewalld is used with CentOS 7, but before learning that I want to get iptables down.

For some reason, whenever I reboot, rules somehow get appended to the chain. Even /etc/sysconfig/iptables is modified, but the rules I've entered still remain as well. Why is this happening?

Let me give an example:

First, I've made sure to disable firewalld. I've checked, and that looks good:

Code: Select all

[root@localhost test]# systemctl status firewalld
 firewalld.service
   Loaded: masked (/dev/null)
   Active: inactive (dead)

Making sure the iptables service is running:

Code: Select all

[root@localhost test]# systemctl status iptables
 iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Thu 2017-01-26 22:15:54 EST; 8min ago
  Process: 913 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 913 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/iptables.service

Jan 26 22:15:55 localhost.localdomain systemd[1]: Starting IPv4 firewall with iptables...
Jan 26 22:15:54 localhost.localdomain iptables.init[913]: iptables: Applying firewall rules: [  OK  ]
Jan 26 22:15:54 localhost.localdomain systemd[1]: Started IPv4 firewall with iptables.

Next, I cleared out iptables current config using -F and -X, and then restore the following from a file. Don't mind the redundant rejection of the bs 122.123 address, I threw that in because it stands out when trying to see if the rules were persisting or not.

Code: Select all

# iptables test config
# updated 1-26-2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -p tcp -s 123.123.123.69 --dport 22 -j REJECT #test to see if persist
-A INPUT -p tcp -s 192.168.3.2 --dport 22 -j ACCEPT  #ssh from host ip
-A INPUT -p tcp --dport 22 -j REJECT #block ssh from everyone else
COMMIT

Then, I made sure to copy that contents to /etc/sysconfig/iptables. I did this to ensure what's loaded into memory and the config file currently match.

A current check to make sure everything looks normal:

Code: Select all

[root@localhost test]# iptables -L -v
Chain INPUT (policy ACCEPT 15 packets, 1121 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 REJECT     tcp  --  any    any     123.123.123.69       anywhere             tcp dpt:ssh reject-with icmp-port-unreachable
    0     0 ACCEPT     tcp  --  any    any     192.168.3.2          anywhere             tcp dpt:ssh
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 143 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    lo      anywhere             anywhere

At this point, there's two things I've tried, and both end up with modified chains and rules. Differently....

If I do a "service iptables save", it doesn't change what's currently loaded in memory, but it adds a ton of rules and whatnot, in addition to the one's I've already created. Notice how the 123.123 fake address I put in there is towards the top of the output.

Code: Select all

[root@localhost test]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Thu Jan 26 22:52:55 2017
*filter
:INPUT ACCEPT [6:393]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:143]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 123.123.123.69/32 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.3.2/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Thu Jan 26 22:52:55 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 22:52:55 2017
*raw
:PREROUTING ACCEPT [727:49519]
:OUTPUT ACCEPT [126:12156]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Jan 26 22:52:55 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 22:52:55 2017
*security
:INPUT ACCEPT [727:49519]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [126:12156]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Jan 26 22:52:55 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 22:52:55 2017
*mangle
:PREROUTING ACCEPT [676:43582]
:INPUT ACCEPT [676:43582]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [77:6868]
:POSTROUTING ACCEPT [86:8651]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Jan 26 22:52:55 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 22:52:55 2017
*nat
:PREROUTING ACCEPT [68:8013]
:INPUT ACCEPT [68:8013]
:OUTPUT ACCEPT [67:5166]
:POSTROUTING ACCEPT [67:5166]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Jan 26 22:52:55 2017

If I do not do a "service iptables save", and just leave the contents of what's loaded into memory as well as etc/sysconfig/iptables alone and correct, it gets modified to the following. notice this time, the 123.123 rule is towards the bottom of the output.

Code: Select all

[root@localhost test]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Thu Jan 26 23:03:57 2017
*nat
:PREROUTING ACCEPT [29:3228]
:INPUT ACCEPT [29:3228]
:OUTPUT ACCEPT [45:3830]
:POSTROUTING ACCEPT [45:3830]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Jan 26 23:03:57 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 23:03:57 2017
*mangle
:PREROUTING ACCEPT [300:21003]
:INPUT ACCEPT [300:21003]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [56:5593]
:POSTROUTING ACCEPT [67:7968]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Jan 26 23:03:57 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 23:03:57 2017
*security
:INPUT ACCEPT [351:26940]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [105:10881]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Jan 26 23:03:57 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 23:03:57 2017
*raw
:PREROUTING ACCEPT [351:26940]
:OUTPUT ACCEPT [105:10881]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Jan 26 23:03:57 2017
# Generated by iptables-save v1.4.21 on Thu Jan 26 23:03:57 2017
*filter
:INPUT ACCEPT [25:1932]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10:1119]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 123.123.123.69/32 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.3.2/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Thu Jan 26 23:03:57 2017

Comparing iptables -L -v output of each though, they're the same.

Code: Select all

[root@localhost test]# iptables -L -v
Chain INPUT (policy ACCEPT 220 packets, 15473 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 any     anywhere             anywhere             udp dpt:domain
    0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere             tcp dpt:domain
    0     0 ACCEPT     udp  --  virbr0 any     anywhere             anywhere             udp dpt:bootps
    0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere             tcp dpt:bootps
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 REJECT     tcp  --  any    any     123.123.123.69       anywhere             tcp dpt:ssh reject-with icmp-port-unreachable
    0     0 ACCEPT     tcp  --  any    any     192.168.3.2          anywhere             tcp dpt:ssh
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    virbr0  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 any     192.168.122.0/24     anywhere            
    0     0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere            
    0     0 REJECT     all  --  any    virbr0  anywhere             anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 38 packets, 3883 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  any    virbr0  anywhere             anywhere             udp dpt:bootpc
    0     0 ACCEPT     all  --  any    lo      anywhere             anywhere

So my real question is, why are rules being appended to the ones I've added after reboot, and where are they coming from? And why is /etc/sysconfig/iptables being modifed? Somewhere, I don't think I'm understanding something correctly.

Post by **TrevorH** » 2017/01/27 07:23:52

You need to disable the libvirt default network if you're not using it... /usr/bin/virsh net-autostart default --disable then reboot to have it take effect.

XpL0d3r · Post by **XpL0d3r** » 2017/01/27 17:06:44

TrevorH wrote:You need to disable the libvirt default network if you're not using it... /usr/bin/virsh net-autostart default --disable then reboot to have it take effect.

Wow, that seems to do the trick, thank you! iptables rules save properly after reboot now. One thing I did notice though, is that /etc/sysconfig/iptables is still being modified after reboot, despite only the proper rules loading at boot.

I noticed that if I do "service iptables save", that's what seems to modify /etc/sysconfig/iptables with all of the extra vibr0 rules. Even if I do not run that command, they still show up in that file after reboot.

So two more small questions, Is there a difference between iptables-save and service iptables save? And why is /etc/sysconfig/iptables being modified with all those extra rules? It was my understanding that "service iptables save" just dumps currently loaded rules into /etc/sysconfig/iptables.

iptables -L -v looks perfect after reboot

Code: Select all

[root@localhost test]# iptables -L -v
Chain INPUT (policy ACCEPT 17 packets, 935 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
    0     0 REJECT     tcp  --  any    any     123.123.123.69       anywhere             tcp dpt:ssh reject-with icmp-port-unreachable
    0     0 ACCEPT     tcp  --  any    any     192.168.3.2          anywhere             tcp dpt:ssh
    0     0 REJECT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 5 packets, 344 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  any    lo      anywhere             anywhere

But looking at /etc/sysconfig/iptables after reboot, it's all out of whack again:

Code: Select all

[root@localhost test]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri Jan 27 11:57:22 2017
*nat
:PREROUTING ACCEPT [11:919]
:INPUT ACCEPT [9:821]
:OUTPUT ACCEPT [32:2702]
:POSTROUTING ACCEPT [32:2702]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Jan 27 11:57:22 2017
# Generated by iptables-save v1.4.21 on Fri Jan 27 11:57:22 2017
*mangle
:PREROUTING ACCEPT [113:10132]
:INPUT ACCEPT [111:10034]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [56:6052]
:POSTROUTING ACCEPT [73:9303]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i eth0 -g PRE_public
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Fri Jan 27 11:57:22 2017
# Generated by iptables-save v1.4.21 on Fri Jan 27 11:57:22 2017
*security
:INPUT ACCEPT [111:10034]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [56:6052]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Jan 27 11:57:22 2017
# Generated by iptables-save v1.4.21 on Fri Jan 27 11:57:22 2017
*raw
:PREROUTING ACCEPT [113:10132]
:OUTPUT ACCEPT [56:6052]
:OUTPUT_direct - [0:0]
:PREROUTING_direct - [0:0]
-A PREROUTING -j PREROUTING_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Jan 27 11:57:22 2017
# Generated by iptables-save v1.4.21 on Fri Jan 27 11:57:22 2017
*filter
:INPUT ACCEPT [67:4591]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13:1200]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 123.123.123.69/32 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.3.2/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Fri Jan 27 11:57:22 2017

Thanks for your help!

jlehtone · Post by **jlehtone** » 2017/01/29 10:15:56

Code: Select all

iptables -S
iptables -S -t nat
iptables -S -t mangle

CentOS

iptables - rules being added after reboot

iptables - rules being added after reboot

Re: iptables - rules being added after reboot

Re: iptables - rules being added after reboot

Re: iptables - rules being added after reboot