Page 1 of 1
iptables rules not reloading on CentOS 7
Posted: 2018/07/07 08:44:49
by JohnK2020
Settin up not the fist server with Centos, I do as always:
Code: Select all
systemctl stop firewalld
systemctl disable firewalld
yum -y install iptables-services
systemctl enable iptables
systemctl start iptables
Rules of iptables are saved like this:
Code: Select all
/sbin/iptables-save > /etc/sysconfig/iptables
systemctl restart iptables
But after restart every time I had to restart it manually otherwize it works with rules I dont understand where it gets.
chkconfig --list:
Code: Select all
htb 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
systemctl status iptables -l
Code: Select all
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Fr 2018-07-06 23:34:00 MSK; 12h ago
Main PID: 2334 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/iptables.service
jul 06 23:34:00 srv2 systemd[1]: Starting IPv4 firewall with iptables...
jul 06 23:34:00 srv2 iptables.init[2334]: iptables: Applying firewall rules: [ OK ]
jul 06 23:34:00 srv2 systemd[1]: Started IPv4 firewall with iptables.
I seem I have tried everthing !
Re: iptables rules not reloading on CentOS 7
Posted: 2018/07/07 09:34:50
by TrevorH
You didn't show us the rules that you think shouldn't be there.
Re: iptables rules not reloading on CentOS 7
Posted: 2018/07/07 10:15:10
by JohnK2020
At startup there are rules not from /etc/sysconfig/iptables but like default ones.
No errors in messages concernig iptables. I'll show rules a bit later when can get them
Re: iptables rules not reloading on CentOS 7
Posted: 2018/07/07 11:23:15
by TrevorH
Yes. I understood that. We need to see the rules that are there to find out what they are from. I have a strong suspicion as to what they are and where they come from but without actually seeing them I won't know if I'm correct or not.
Most likely they re rules inserted by libvirt for NAT network guests. Show the rules to us and I'll tell you if I'm right.
Re: iptables rules not reloading on CentOS 7
Posted: 2018/07/07 14:29:01
by JohnK2020
iptables -S
Code: Select all
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N block_fw
-N block_in
-N block_out
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp4s0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 20,21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49000:55000 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m multiport --dports 137,138,139,445 -j DROP
-A INPUT -i ppp0 -p udp -m multiport --dports 137,138,139,445 -j DROP
-A INPUT -j block_in
-A FORWARD -s 192.168.3.0/24 -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.4.0/24 -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.7.0/24 -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.3.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.4.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.7.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i enp4s0 -o ppp0 -j ACCEPT
-A FORWARD -i ppp0 -o enp4s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp4s0 -o enp1s0 -j ACCEPT
-A FORWARD -j block_fw
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o enp4s0 -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT
-A OUTPUT -o enp1s0 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -j block_out
-A block_fw -j LOG --log-prefix --FW--BLOCK --log-level 6
-A block_fw -j DROP
-A block_in -j LOG --log-prefix --IN--BLOCK --log-level 6
-A block_in -j DROP
-A block_out -j LOG --log-prefix --OUT--BLOCK --log-level 6
-A block_out -j DROP
Re: iptables rules not reloading on CentOS 7
Posted: 2018/07/07 16:07:40
by TrevorH
So, my guess was completely wrong and looking at those, I have no idea what puts any of those in place. They are unlike any rules that I've ever seen before. What else is installed? Do you have a control panel of sort sort installed - cpanel/plesk that sort of thing?
Re: iptables rules not reloading on CentOS 7
Posted: 2018/07/07 21:48:44
by JohnK2020
This is local server with terminal, no panels, no GUI. Installed from scratch.
Re: iptables rules not reloading on CentOS 7
Posted: 2018/07/09 08:50:47
by JohnK2020
Finally I had to add
systemctl restart iptables into /etc/sysconfig/network-scripts/ifup-ppp
Now when server boots up all works perfectly
Re: iptables rules not reloading on CentOS 7
Posted: 2018/07/09 09:42:29
by TrevorH
That sounds like a hideous hack to cover up the underlying problem that you haven't found yet.
Re: iptables rules not reloading on CentOS 7
Posted: 2018/07/09 16:53:11
by pjsr2
With some searching on the web, I found the following script
https://github.com/dnbstd/Scripts/blob/ ... ptables.sh which defines iptable chains with names block_fw, block_in and block_out.
Has something similar to that been installed on your system?
Perhaps you can find something with: