iptables rules not reloading on CentOS 7

Support for security such as Firewalls and securing linux
Post Reply
JohnK2020
Posts: 19
Joined: 2018/06/27 12:08:17

iptables rules not reloading on CentOS 7

Post by JohnK2020 » 2018/07/07 08:44:49

Settin up not the fist server with Centos, I do as always:

Code: Select all

systemctl stop firewalld 
systemctl disable firewalld 
  
yum -y install iptables-services 
systemctl enable iptables
systemctl start iptables
Rules of iptables are saved like this:

Code: Select all

/sbin/iptables-save  > /etc/sysconfig/iptables
systemctl restart iptables
But after restart every time I had to restart it manually otherwize it works with rules I dont understand where it gets.

chkconfig --list:

Code: Select all

htb             0:off  1:off  2:on   3:on  4:on  5:on   6:off
netconsole      0:off  1:off  2:off  3:off  4:off  5:off  6:off
network         0:off  1:off 2:on   3:on   4:on   5:on   6:off
systemctl status iptables -l

Code: Select all

 iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Fr 2018-07-06 23:34:00 MSK; 12h ago
 Main PID: 2334 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/iptables.service

jul 06 23:34:00 srv2 systemd[1]: Starting IPv4 firewall with iptables...
jul 06 23:34:00 srv2 iptables.init[2334]: iptables: Applying firewall rules: [  OK  ]
jul 06 23:34:00 srv2 systemd[1]: Started IPv4 firewall with iptables.
I seem I have tried everthing !

User avatar
TrevorH
Forum Moderator
Posts: 23854
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables rules not reloading on CentOS 7

Post by TrevorH » 2018/07/07 09:34:50

You didn't show us the rules that you think shouldn't be there.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

JohnK2020
Posts: 19
Joined: 2018/06/27 12:08:17

Re: iptables rules not reloading on CentOS 7

Post by JohnK2020 » 2018/07/07 10:15:10

At startup there are rules not from /etc/sysconfig/iptables but like default ones.
No errors in messages concernig iptables. I'll show rules a bit later when can get them

User avatar
TrevorH
Forum Moderator
Posts: 23854
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables rules not reloading on CentOS 7

Post by TrevorH » 2018/07/07 11:23:15

Yes. I understood that. We need to see the rules that are there to find out what they are from. I have a strong suspicion as to what they are and where they come from but without actually seeing them I won't know if I'm correct or not.

Most likely they re rules inserted by libvirt for NAT network guests. Show the rules to us and I'll tell you if I'm right.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

JohnK2020
Posts: 19
Joined: 2018/06/27 12:08:17

Re: iptables rules not reloading on CentOS 7

Post by JohnK2020 » 2018/07/07 14:29:01

iptables -S

Code: Select all


-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N block_fw
-N block_in
-N block_out
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp4s0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 20,21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49000:55000 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m multiport --dports 137,138,139,445 -j DROP
-A INPUT -i ppp0 -p udp -m multiport --dports 137,138,139,445 -j DROP
-A INPUT -j block_in
-A FORWARD -s 192.168.3.0/24 -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.4.0/24 -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.7.0/24 -d 192.168.0.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.3.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.4.0/24 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.7.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i enp4s0 -o ppp0 -j ACCEPT
-A FORWARD -i ppp0 -o enp4s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp4s0 -o enp1s0 -j ACCEPT
-A FORWARD -j block_fw
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o enp4s0 -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT
-A OUTPUT -o enp1s0 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -j block_out
-A block_fw -j LOG --log-prefix --FW--BLOCK --log-level 6
-A block_fw -j DROP
-A block_in -j LOG --log-prefix --IN--BLOCK --log-level 6
-A block_in -j DROP
-A block_out -j LOG --log-prefix --OUT--BLOCK --log-level 6
-A block_out -j DROP


User avatar
TrevorH
Forum Moderator
Posts: 23854
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables rules not reloading on CentOS 7

Post by TrevorH » 2018/07/07 16:07:40

So, my guess was completely wrong and looking at those, I have no idea what puts any of those in place. They are unlike any rules that I've ever seen before. What else is installed? Do you have a control panel of sort sort installed - cpanel/plesk that sort of thing?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

JohnK2020
Posts: 19
Joined: 2018/06/27 12:08:17

Re: iptables rules not reloading on CentOS 7

Post by JohnK2020 » 2018/07/07 21:48:44

This is local server with terminal, no panels, no GUI. Installed from scratch.

JohnK2020
Posts: 19
Joined: 2018/06/27 12:08:17

Re: iptables rules not reloading on CentOS 7

Post by JohnK2020 » 2018/07/09 08:50:47

Finally I had to add systemctl restart iptables into /etc/sysconfig/network-scripts/ifup-ppp
Now when server boots up all works perfectly ;)

User avatar
TrevorH
Forum Moderator
Posts: 23854
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables rules not reloading on CentOS 7

Post by TrevorH » 2018/07/09 09:42:29

That sounds like a hideous hack to cover up the underlying problem that you haven't found yet.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

pjsr2
Posts: 343
Joined: 2014/03/27 20:11:07

Re: iptables rules not reloading on CentOS 7

Post by pjsr2 » 2018/07/09 16:53:11

With some searching on the web, I found the following script https://github.com/dnbstd/Scripts/blob/ ... ptables.sh which defines iptable chains with names block_fw, block_in and block_out.

Has something similar to that been installed on your system?

Perhaps you can find something with:

Code: Select all

grep --devices=skip -r block_fw /

Post Reply