iptables is not loading saved rules correctly after reboot

Support for security such as Firewalls and securing linux
Post Reply
ysj
Posts: 1
Joined: 2017/09/07 18:36:41

iptables is not loading saved rules correctly after reboot

Post by ysj » 2017/09/07 19:06:08

Hi Guys,

I'm aware that centos7 is using firewalld and have disabled the service and installed iptables services.

I kept port 22,80,8080 open and plan to redirect request to other ports to port 4444. The issue is that iptables doesn't load the same rules after rebooting. I'm unable to access port 80 and 8080 web services. However, ssh is fine.

Here is what I did:
  • iptables -F
    iptables -t nat -A PREROUTING -i ens33 -p tcp -m tcp -m multiport --dports 1:21,23:79,81:8079,8081:65535 -j REDIRECT --to-ports 4444
    service iptables save
    ** Try to access port 22,80,8080 from another pc, it works.
    reboot
Rules in etc/sysconfig/iptable after saving

Code: Select all

# Generated by iptables-save v1.4.21 on Fri Sep  8 03:00:13 2017
*mangle
:PREROUTING ACCEPT [83:12197]
:INPUT ACCEPT [82:12165]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [33:14048]
:POSTROUTING ACCEPT [34:14080]
COMMIT
# Completed on Fri Sep  8 03:00:13 2017
# Generated by iptables-save v1.4.21 on Fri Sep  8 03:00:13 2017
*filter
:INPUT ACCEPT [81:12093]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [33:14048]
COMMIT
# Completed on Fri Sep  8 03:00:13 2017
# Generated by iptables-save v1.4.21 on Fri Sep  8 03:00:13 2017
*nat
:PREROUTING ACCEPT [12:1311]
:INPUT ACCEPT [12:1311]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
-A PREROUTING -i ens33 -p tcp -m tcp -m multiport --dports 1:21,23:79,81:8079,8081:65535 -j REDIRECT --to-ports 4444
-A PREROUTING -i ens33 -p tcp -m tcp -m multiport --dports 1:21,23:79,81:8079,8081:65535 -j REDIRECT --to-ports 4444
COMMIT
# Completed on Fri Sep  8 03:00:13 2017
After reboot, I tried to access port 80 and 8080, I couldn't access. SSH is fine.

Rules loaded after rebooting:

Code: Select all

[root@localhost ~]# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -i ens33 -p tcp -m tcp -m multiport --dports 1:21,23:79,81:8079,8081:65535 -j REDIRECT --to-ports 4444
-A PREROUTING -i ens33 -p tcp -m tcp -m multiport --dports 1:21,23:79,81:8079,8081:65535 -j REDIRECT --to-ports 4444
-A PREROUTING -i ens33 -p tcp -m tcp --dport 1:21 -j REDIRECT --to-ports 4444
-A PREROUTING -i ens33 -p tcp -m tcp --dport 23:65535 -j REDIRECT --to-ports 4444
[root@localhost ~]# iptables -S -t filter
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
[root@localhost ~]# iptables -S -t mangle
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
Top
Post Reply

Return to “CentOS 7 - Security Support”