iptables- restore issue

Support for security such as Firewalls and securing linux
tunk
Posts: 1204
Joined: 2017/02/22 15:08:17

Re: iptables- restore issue

Post by tunk » 2021/09/18 16:51:24

C7 was introduced in 2014 and your iptables-save is from 2013.
So it was saved in C6 (or earlier) - could this explain the problem?
Firewalld is the default firewall in C7 - is it possible to use an old
iptables-save with firewalld? And why do you need a firewall when
you have no internet access?

mania
Posts: 49
Joined: 2020/12/19 05:55:37

Re: iptables- restore issue

Post by mania » 2021/09/22 06:13:26

Hi,
I tested rules with just one IP address and nothing changed.

mania
Posts: 49
Joined: 2020/12/19 05:55:37

Re: iptables- restore issue

Post by mania » 2021/09/22 06:21:35

Hi, do you mean iptables-restore does not work in firewalld ?

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables- restore issue

Post by TrevorH » 2021/09/22 08:36:05

Firewalld is entirely and completely separate from iptables. On CentOS 8, firewalld doesn't even use iptables, it uses nftables.

You can't just plonk iptables rules on top of firewalld. It "knows" how things ought to be and if you did run iptables-restore successfully without firewalld's knowledge, it would notice the rules were "wrong" and remove them. If you use firewalld then you must use its utilities to set up rules, not iptables.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables- restore issue

Post by jlehtone » 2021/09/22 12:33:59

I don't know whether firewalld "knows". The alternative is that it "assumes" that kernel has exactly the ruleset that firewalld has written. If two actors append rules unaware of each other, the resulting ruleset is most likely flawed.

The iptables-restore does by default flush first. That is, remove all current rules. Then it loads the rules from file. If you had rules added by firewalld, they were all wiped off. If firewalld "knows", then it will get notification that rules in kernel are changing and tries to flush and recreate its rules.

Either way, there is a mess.


The iptables.service does nothing but calls iptables-restore with file /etc/sysconfig/iptables on boot (and optionally does iptables-save to /etc/sysconfig/iptables on shutdown).

You should not run both iptables.service and firewalld.service -- they are mutually exclusive. Manually running iptables-restore is like starting iptables.service.

TrevorH wrote:
2021/09/22 08:36:05
If you use firewalld then you must use its utilities to set up rules, not iptables.
This.

If you do use iptables.service, then add/modify rules to kernel manually (with iptables) and call sudo systemctl save iptables.service when the ruleset is ok. That should give you a valid /etc/sysconfig/iptables.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables- restore issue

Post by TrevorH » 2021/09/22 12:49:05

call sudo systemctl save iptables.service when the ruleset is ok
Did you mean sudo service iptables save?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: iptables- restore issue

Post by jlehtone » 2021/09/22 13:24:48

I don't think that I have iptables.service in any of my CentOS 7 machines.
Systemctl does not wrap to /sbin/service? It does for some units ... or was it the other way around? :?

tunk
Posts: 1204
Joined: 2017/02/22 15:08:17

Re: iptables- restore issue

Post by tunk » 2021/09/22 14:29:13

If you haven't already done it, you could disable firewalld and use iptables:
https://www.digitalocean.com/community/ ... n-centos-7

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables- restore issue

Post by TrevorH » 2021/09/22 15:54:19

Systemctl does not wrap to /sbin/service? It does for some units ... or was it the other way around? :?
Other way around. If you call service then it does some checks for non-standard "verbs" like save and then invokes a helper script like /usr/libexec/initscripts/legacy-actions/iptables/save which does the work. For things like start/restart/stop it just invokes systemctl. Unfortunately there's no direct way to get syustemctl to do anything it doesn't want to.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply