iptables not showing persistent rule after server reboot
iptables not showing persistent rule after server reboot
Please suggest how to block the ports in iptables in persistent way. We have blocked the Ports with the help of command ‘iptables -A INPUT -p tcp --destination-port <port number> -j DROP’, but with this command entries made in iptables are not persistent and after reboot the iptables showing only the old rules, not the newly added rules.
So we have entered these commands in a file and have scheduled a cronjob
which will run after reboot of the system to make port blocking entries in the iptables.
So we have entered these commands in a file and have scheduled a cronjob
which will run after reboot of the system to make port blocking entries in the iptables.
Re: iptables not showing persistent rule after server reboot
The default firewall solution on CentOS 7 is firewalld. You should never add rules using the iptables command if you use firewalld. Rules added using iptables behind firewalld's back will get removed at any time when firewalld notices they are there. You should use the firewall-cmd command instead. And if you do that then you need to run it twice, once with --permanent and once without or you need to add it once with --permanent and then do a reload.
If you do not use firewalld and use native iptables instead then after you add rules using the iptables command then you need to run service iptables save to save the rules.
If you do not use firewalld and use native iptables instead then after you add rules using the iptables command then you need to run service iptables save to save the rules.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: iptables not showing persistent rule after server reboot
If you use firewalld, you can disable it and use iptables instead:
https://www.digitalocean.com/community/ ... n-centos-7
Don't know if it's recommended, I use iptables and I edit
/etc/sysconfig/iptables+ip6tables directly.
https://www.digitalocean.com/community/ ... n-centos-7
Don't know if it's recommended, I use iptables and I edit
/etc/sysconfig/iptables+ip6tables directly.
Re: iptables not showing persistent rule after server reboot
Hello TrevorH and all,
Firewall service is already disabled.
For using “iptables service save” we have to load a separate package and we have already did the suggested activity but previously which caused application to misbehave and the GUI was not opened.
Also you have to consider that the application running on Docker and also kube-proxy edits iptables every time system is rebooted with new iptables rules. We have to consider the fact that on our system we do have Kubernetes as well.
-----------------------[ APPLICATION ]
[KEUBERNETES] [ DOCKER ]
[OPERATING SYSTEM CENTOS ]
[ SERVER ]
Please support to resolve.
Firewall service is already disabled.
For using “iptables service save” we have to load a separate package and we have already did the suggested activity but previously which caused application to misbehave and the GUI was not opened.
Also you have to consider that the application running on Docker and also kube-proxy edits iptables every time system is rebooted with new iptables rules. We have to consider the fact that on our system we do have Kubernetes as well.
-----------------------[ APPLICATION ]
[KEUBERNETES] [ DOCKER ]
[OPERATING SYSTEM CENTOS ]
[ SERVER ]
Please support to resolve.
Re: iptables not showing persistent rule after server reboot
Yes, the package iptables-services provides iptables.service and ip6tables.service.csnegi wrote: ↑2022/03/08 10:44:11Firewall service is already disabled.
For using “iptables service save” we have to load a separate package and we have already did the suggested activity but previously which caused application to misbehave and the GUI was not opened.
Also you have to consider that the application running on Docker and also kube-proxy edits iptables every time system is rebooted with new iptables rules.
There is also package nftables that provides nftables.service.
(Current RHEL 7 documentation describes only firewalld.service and nftables.service -- they have deprecated the iptables.)
Something has to load netfilter and/or nftables rules into the kernel at boot (and during runtime). The default is firewalld.service. If that is disabled, then it wont do that.
The iptables.service (and nftables.service) are oneshots -- they load rules at boot. The FirewallD can change rules more dynamically.
On boot the iptables.service loads rules from /etc/sysconfig/iptables. The 'service iptables save' reads current rules from kernel and writes them into /etc/sysconfig/iptables.
Lets say that we have iptables.service enabled and something in /etc/sysconfig/iptables.
- On boot those rules are loaded into kernel.
- Services like Docker, libvirtd, fail2ban, and kubernetes add rules to kernel.
- You add some custom rules to kernel with 'iptables -A INPUT ...'
On next reboot:
- iptables.service loads everything from /etc/sysconfig/iptables into kernel.
- Docker, libvirtd, fail2ban, kubernetes, etc add their rules again into kernel. Depending on how they do it, they fail or add duplicate rules.
Therefore, You have to create a ruleset as it should be before those extra services add anything and store that into /etc/sysconfig/iptables
The objective is that after extra services add their rules, the result ruleset is appropriate.
An alternative is to create a complete, static ruleset for iptables.service and prevent docker/kubernetes from adding any rules.
Re: iptables not showing persistent rule after server reboot
If this is docker then it's a docker problem. Docker dynamically adds iptables rules and those are lost if the iptables service is restarted while containers are running. If you restart the iptables service, those docker added dynamic rules will be lost until you restart the container.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: iptables not showing persistent rule after server reboot
Hello,
Any permanent solution to save the iptables post reboot, please share.
Any permanent solution to save the iptables post reboot, please share.
Re: iptables not showing persistent rule after server reboot
Probably:
* Disable the troublemakers
* Reboot
* Check rules and save
* Enable the troublemakers
* Reboot
* Check rules. If ok, then you have it. If not, then restart this process and adjust rules before save
* Disable the troublemakers
* Reboot
* Check rules and save
* Enable the troublemakers
* Reboot
* Check rules. If ok, then you have it. If not, then restart this process and adjust rules before save
Re: iptables not showing persistent rule after server reboot
The problem is that docker adds the rules dynamically and I am not sure you have any guarantee that the old rules for a previous instance of a container would be applicable to a new one.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: iptables not showing persistent rule after server reboot
Hello TrevorH,
We have scheduled a script with cronjob to block ports after every restart. Is this the only way to block the ports in persistent way?
Please confirm.
Thanks
Chiranjeev Negi
We have scheduled a script with cronjob to block ports after every restart. Is this the only way to block the ports in persistent way?
Please confirm.
Thanks
Chiranjeev Negi