iptables not showing persistent rule after server reboot

[csnegi]

Please suggest how to block the ports in iptables in persistent way. We have blocked the Ports with the help of command ‘iptables -A INPUT -p tcp --destination-port <port number> -j DROP’, but with this command entries made in iptables are not persistent and after reboot the iptables showing only the old rules, not the newly added rules.
So we have entered these commands in a file and have scheduled a cronjob
which will run after reboot of the system to make port blocking entries in the iptables.

[TrevorH]

The default firewall solution on CentOS 7 is firewalld. You should never add rules using the iptables command if you use firewalld. Rules added using iptables behind firewalld's back will get removed at any time when firewalld notices they are there. You should use the firewall-cmd command instead. And if you do that then you need to run it twice, once with --permanent and once without or you need to add it once with --permanent and then do a reload.

If you do not use firewalld and use native iptables instead then after you add rules using the iptables command then you need to run service iptables save to save the rules.

[tunk]

If you use firewalld, you can disable it and use iptables instead:
https://www.digitalocean.com/community/ ... n-centos-7

Don't know if it's recommended, I use iptables and I edit
/etc/sysconfig/iptables+ip6tables directly.

[csnegi]

Hello TrevorH and all,

Firewall service is already disabled.
For using “iptables service save” we have to load a separate package and we have already did the suggested activity but previously which caused application to misbehave and the GUI was not opened.
Also you have to consider that the application running on Docker and also kube-proxy edits iptables every time system is rebooted with new iptables rules. We have to consider the fact that on our system we do have Kubernetes as well.

-----------------------[ APPLICATION ]
[KEUBERNETES] [ DOCKER ]
[OPERATING SYSTEM CENTOS ]
[ SERVER ]

Please support to resolve.

[jlehtone]

Firewall service is already disabled.
For using “iptables service save” we have to load a separate package and we have already did the suggested activity but previously which caused application to misbehave and the GUI was not opened.
Also you have to consider that the application running on Docker and also kube-proxy edits iptables every time system is rebooted with new iptables rules.

Yes, the package iptables-services provides iptables.service and ip6tables.service.
There is also package nftables that provides nftables.service.
(Current RHEL 7 documentation describes only firewalld.service and nftables.service -- they have deprecated the iptables.)

Something has to load netfilter and/or nftables rules into the kernel at boot (and during runtime). The default is firewalld.service. If that is disabled, then it wont do that.

The iptables.service (and nftables.service) are oneshots -- they load rules at boot. The FirewallD can change rules more dynamically.

On boot the iptables.service loads rules from /etc/sysconfig/iptables. The 'service iptables save' reads current rules from kernel and writes them into /etc/sysconfig/iptables.

Lets say that we have iptables.service enabled and something in /etc/sysconfig/iptables.

1. On boot those rules are loaded into kernel.
2. Services like Docker, libvirtd, fail2ban, and kubernetes add rules to kernel.
3. You add some custom rules to kernel with 'iptables -A INPUT ...'

If you now do 'service iptables save', then all rules from kernel are stored into /etc/sysconfig/iptables.

On next reboot:

1. iptables.service loads everything from /etc/sysconfig/iptables into kernel.
2. Docker, libvirtd, fail2ban, kubernetes, etc add their rules again into kernel. Depending on how they do it, they fail or add duplicate rules.

The result is most likely not what it should be.

Therefore, You have to create a ruleset as it should be before those extra services add anything and store that into /etc/sysconfig/iptables
The objective is that after extra services add their rules, the result ruleset is appropriate.

An alternative is to create a complete, static ruleset for iptables.service and prevent docker/kubernetes from adding any rules.

[TrevorH]

If this is docker then it's a docker problem. Docker dynamically adds iptables rules and those are lost if the iptables service is restarted while containers are running. If you restart the iptables service, those docker added dynamic rules will be lost until you restart the container.

[csnegi]

Hello,

Any permanent solution to save the iptables post reboot, please share.

[jlehtone]

Probably:
* Disable the troublemakers
* Reboot
* Check rules and save
* Enable the troublemakers
* Reboot
* Check rules. If ok, then you have it. If not, then restart this process and adjust rules before save

[TrevorH]

The problem is that docker adds the rules dynamically and I am not sure you have any guarantee that the old rules for a previous instance of a container would be applicable to a new one.

[csnegi]

Hello TrevorH,

We have scheduled a script with cronjob to block ports after every restart. Is this the only way to block the ports in persistent way?
Please confirm.

Thanks
Chiranjeev Negi