iptables befuddles me

Support for security such as Firewalls and securing linux
Post Reply
Posts: 2
Joined: 2015/12/28 21:45:08

iptables befuddles me

Post by sshades » 2015/12/28 22:13:47

I have a server that was setup by an admin who is no longer around which leaves the rest of us normal users stumbling in the dark. The machine uses CentOS 7, and the admin seems to have made security primarily go through iptables (though I understand that firewalld would normally be the default). I was attempting to add a rule to iptables which ended up backfiring on me in a fantastic way. I was following a walk through for CentOS 6, and here is where things blew up:

Code: Select all

# service iptables stop

# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# service iptables save

# service iptables restart
Before inputting these commands, I verified that iptables -L and /etc/sysconfig/iptables had the same rules (The admin had apparently done something that causes a discrepancy between the two when the machine first boots, so I usually need to reset some services before the machine is functional). My expectation was that the iptables command would ADD one new rule to the pre-existing set of rules and then save that. What ACTUALLY happened was that this command deleted ALL the other rules and saved just this single rule. I have the output of iptables -L saved from just before running that command. It's mostly default rules with the exception of opening a few ports (ssh, http, https, and msgsrvr) plus a rule for fail2ban. However, now I have no idea what went wrong and how I'm supposed to actually ADD rules instead of replacing them.

Posts: 188
Joined: 2007/05/06 20:15:23

Re: iptables befuddles me

Post by gulikoza » 2015/12/29 08:54:27

When you stopped iptables service, all the netfilter tables have been flushed. Then you have added your new rule, which was at this point the only rule in iptables. After this, you have saved this as your new configuration. You need to restore /etc/sysconfig/iptables from some backup and add your new rules without stopping iptables service and then saving it again.

Maybe the confusion comes from the fact that everybody talks about iptables service, firewalld service...when actually there is no service at all. There are just (kernel) netfilter tables. When you stop this "service", the tables are flushed. When you start it, the rules are inserted by iptables. Nothing more, nothing less. Firewalld service generates some chains on it's own, so it is easier to manage and actually has a python daemon, but it basically works the same way...kernel does all the work, everything else is there just to manage it.

User avatar
Forum Moderator
Posts: 30351
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables befuddles me

Post by TrevorH » 2015/12/29 13:27:53

If you have not yet rerun service iptables save then you can retrieve your old rules from /etc/sysconfig/iptables.save but if you run save again they will be lost.
CentOS 6 died in November 2020 - migrate to a new version!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Posts: 2
Joined: 2015/12/28 21:45:08

Re: iptables befuddles me

Post by sshades » 2016/01/01 02:42:01

The server had some hardware issues, so it took a little while to get it running again. There were also other steps missing from the guide I was following. However, the pointers here saved me some time debugging the guide.

Thanks much.

Post Reply

Return to “CentOS 7 - Security Support”