firewall problems

Support for security such as Firewalls and securing linux
Post Reply
Leftie
Posts: 3
Joined: 2007/10/18 12:58:53

firewall problems

Post by Leftie » 2007/10/18 15:12:25

When iptables start I get the following error;

Applying iptables firewall rules: Can't open /etc/sysconfig/iptables: Permission denied[FAILED]

I checked the ownership and rughts of the file with ls -l and get;

-rw------- 1 root root 439 Oct 18 2003 /etc/sysconfig/iptables

Any ideas? I need to get this server online by Friday.

Thanks, Leftie

User avatar
WhatsHisName
Posts: 1547
Joined: 2005/12/19 20:21:43
Location: /earth/usa/nj

firewall problems

Post by WhatsHisName » 2007/10/18 15:32:49

Checked a few systems and found /etc/sysconfig/iptables permission "-rwxr-xr-x", which is unchanged from installation.

pjwelsh
Posts: 2630
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Re: firewall problems

Post by pjwelsh » 2007/10/18 15:55:17

My first guess is that an selinux issue is causing the problem. If you look at the output of "dmesg" or /var/log/messages there should be a denied message. As root, "restorecon -f /etc/sysconfig/iptables" *may* help depending on what has happened. You *may* need to drop from "enforcing" mode to "permissive" via the "system-config-security".

Edit: or better yet what whatshisname said!

Leftie
Posts: 3
Joined: 2007/10/18 12:58:53

Re: firewall problems

Post by Leftie » 2007/10/18 17:12:43

I tried -rwxr-xr-x first and thatdid not work.

Setting the system-config-security to permissive did work.

Thanks for all the information. You can't beet the people in this forum.

Thanks again, Leftie

pjwelsh
Posts: 2630
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Re: firewall problems

Post by pjwelsh » 2007/10/18 19:04:43

Just to make sure you understand, you did not *fix* the problem (an selinux "context" issue), you covered it up *AND* made your system more *insecure*...
For outward facing boxes, restoring the correct context for files and keeping selinux in "enforcing" mode *is* the fix not reducing security on your box!

yyagol
Posts: 1015
Joined: 2006/06/10 18:27:44
Location: 32 4′N 34 47′E
Contact:

Re: firewall problems

Post by yyagol » 2007/10/21 06:57:00

if the [b]ls -Z /etc/sysconfig/iptables[/b] shows different then
system_u:object_r:etc_t
then you need to change it ( i guess you copy this file from somewhere else rather then running # service iptables save )
you can change it by running :

[code]chcon --reference=/etc/sysconfig/syslog /etc/sysconfig/iptables[/code]
or by running the the save command after removing the file, it is always good to save
you're rules before doing this

[code]# iptables-save > blabla.txt
# rm -f /etc/sysconfig/iptables
# service iptables save[/code]

more then that take a look at the /var/log/messages for errors . selinux write down every error in this file
look for avc

Post Reply

Return to “CentOS 5 - Security Support”