iptables/pidora

timl · 06-11-2013, 12:01 AM

Hi, I have noticed that my iptables rules are lost whenever I reboot my Pi. Maybe this is because I do a iptables-save but not an iptables-restore after a reboot.

So I did an iptables-save to the file /etc/sysconfig/iptab.config. I was a bit concerned when I dumped the contents of this file. Lots of rules in there I was not aware of. If you take port 631 which I think is TCP related, I have never added a rule which is borne out by the "iptables -L" command. However, when I look in iptab.config I see this port in 3 places.

Quote:

[root@pihat Downloads]# iptables -L | grep 631
[root@pihat Downloads]# cat /etc/sysconfig/iptab.config | grep 631
-A IN_ZONE_home_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_internal_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
[root@pihat Downloads]#

So I am a bit concerned that rules I didn't define are in a file I propose to use for "iptables-restore"

Can someone pls confirm then

Define Iptables rules
iptables-save > filename
reboot
iptables-restore < filename

is that about it?

Thanks

macemoneta · 06-11-2013, 07:42 AM

There should be no reason to save / restore the iptables configuration; it is kept in /etc/sysconfig/iptables which is reloaded when the iptables service starts.

Make sure you are configuring the firewall correctly, per the documentation. Also, make sure the firewall is set to start on boot:

Code:

sudo systemctl enable iptables.service
sudo systemctl start iptables.service

timl · 06-13-2013, 04:29 PM

I had a read through the doco you provided but I think my problem is more fundamental. I have just rebooted and these are the first commands I type:

Quote:

[tim@pihat ~]$ ps -ax | grep iptables
773 pts/0 S+ 0:00 grep --color=auto iptables
[tim@pihat ~]$ su
Password:
[root@pihat tim]# iptables -L | grep 413
[root@pihat tim]# /sbin/iptables -I INPUT -p tcp --destination-port 51413 -j ACCEPT
[root@pihat tim]# /sbin/iptables -I INPUT -p udp --destination-port 51413 -j ACCEPT
[root@pihat tim]# service iptables restartRedirecting to /bin/systemctl restart iptables.service
[root@pihat tim]# iptables -L | grep 413ACCEPT tcp -- anywhere anywhere tcp dpt:51413
ACCEPT udp -- anywhere anywhere udp dpt:51413
[root@pihat tim]#

Now I reboot and this is what I see:

Quote:

[tim@pihat ~]$ ps -ax | grep iptables
773 pts/0 S+ 0:00 grep --color=auto iptables
[tim@pihat ~]$ iptables -L | grep 413
iptables v1.4.16.2: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
[tim@pihat ~]$ sudo iptables -L | grep 413
[sudo] password for tim:
[tim@pihat ~]$

So iptables is up and running after a reboot. My rules are not present.

I enter my rules, check they are present and restart iptables
reboot
the rules have disappeared
reenter rules
reboot
the rules have disappeared

This is what I have always done in Fedora/Centos but rules don't disappear!So I am wondering whether this is a Pi quirk!

leoboulton · 07-19-2013, 02:17 PM

I ran into the same issue with my pidora. I realized that Pidora (because it is a "recent" fedora distro) runs firewalld for security handling, as well. And it appears as it overwrites or preempts iptables at boot time.
For normal iptables, edits and add entries must be saved /etc/sysconfig/iptables file, via the save command

Quote:

/sbin/service iptables save

/sbin/service iptables save
You'll see that the file is created and edited; but after reboot it isn't getting the changes either.

Check firewalld and firewall-cmd... to see if it's enabled do:

Code:

[root@pi ~]# systemctl status firewalld.service 
firewalld.service - firewalld - dynamic firewall daemon
          Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
          Active: active (running) since Fri, 2013-05-17 14:48:00 EDT; 2 months and 2 days ago
        Main PID: 133 (firewalld)
          CGroup: name=systemd:/system/firewalld.service
                  └ 133 /usr/bin/python /usr/sbin/firewalld --nofork

To show which services/ports are enabled via firewalld use

Code:

[root@pi ~]# firewall-cmd --list-services
mdns dhcpv6-client ssh
[root@pi ~]#

An example to permanently accept http and https sessions thru the "Public" zone (which in my case is eth0), you have to run:

Code:

[root@pi ~]# firewall-cmd --zone=public --add-service=https --permanent
[root@pi ~]# firewall-cmd --zone=public --add-service=http --permanent

See if that helps, it worked for me.