When iptables start I get the following error;
Applying iptables firewall rules: Can't open /etc/sysconfig/iptables: Permission denied[FAILED]
I checked the ownership and rughts of the file with ls -l and get;
-rw------- 1 root root 439 Oct 18 2003 /etc/sysconfig/iptables
Any ideas? I need to get this server online by Friday.
Thanks, Leftie
firewall problems
-
WhatsHisName
- Posts: 1549
- Joined: 2005/12/19 20:21:43
- Location: /earth/usa/nj
firewall problems
Checked a few systems and found /etc/sysconfig/iptables permission "-rwxr-xr-x", which is unchanged from installation.
Re: firewall problems
My first guess is that an selinux issue is causing the problem. If you look at the output of "dmesg" or /var/log/messages there should be a denied message. As root, "restorecon -f /etc/sysconfig/iptables" *may* help depending on what has happened. You *may* need to drop from "enforcing" mode to "permissive" via the "system-config-security".
Edit: or better yet what whatshisname said!
Edit: or better yet what whatshisname said!
Re: firewall problems
I tried -rwxr-xr-x first and thatdid not work.
Setting the system-config-security to permissive did work.
Thanks for all the information. You can't beet the people in this forum.
Thanks again, Leftie
Setting the system-config-security to permissive did work.
Thanks for all the information. You can't beet the people in this forum.
Thanks again, Leftie
Re: firewall problems
Just to make sure you understand, you did not *fix* the problem (an selinux "context" issue), you covered it up *AND* made your system more *insecure*...
For outward facing boxes, restoring the correct context for files and keeping selinux in "enforcing" mode *is* the fix not reducing security on your box!
For outward facing boxes, restoring the correct context for files and keeping selinux in "enforcing" mode *is* the fix not reducing security on your box!
Re: firewall problems
if the [b]ls -Z /etc/sysconfig/iptables[/b] shows different then
system_u:object_r:etc_t
then you need to change it ( i guess you copy this file from somewhere else rather then running # service iptables save )
you can change it by running :
[code]chcon --reference=/etc/sysconfig/syslog /etc/sysconfig/iptables[/code]
or by running the the save command after removing the file, it is always good to save
you're rules before doing this
[code]# iptables-save > blabla.txt
# rm -f /etc/sysconfig/iptables
# service iptables save[/code]
more then that take a look at the /var/log/messages for errors . selinux write down every error in this file
look for avc
system_u:object_r:etc_t
then you need to change it ( i guess you copy this file from somewhere else rather then running # service iptables save )
you can change it by running :
[code]chcon --reference=/etc/sysconfig/syslog /etc/sysconfig/iptables[/code]
or by running the the save command after removing the file, it is always good to save
you're rules before doing this
[code]# iptables-save > blabla.txt
# rm -f /etc/sysconfig/iptables
# service iptables save[/code]
more then that take a look at the /var/log/messages for errors . selinux write down every error in this file
look for avc