[SOLVED] Firewall will not stay disabled after reboot
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Trying to disable the firewall on a system. The kickstart file used for install had firewall disabled.
Firewall comes up on boot.
Have tried the following commands in several different recommended orders:
chkconfig --del iptables
service iptables save
service iptables stop
Firewall still comes up on reboot.
Have manually deleted /etc/sysconfig/iptables-config
Firewall still comes up on reboot.
If I reboot to runlevel 5 and look at the status of the firewall in the OS gui it says that the firewall is disabled. But, if I check the status from the command line it is up and the software we are testing fails because it needs to be down.
Have used the same kickstart file on a few other servers without this problem however these were 32 bit.
Is there a bug with 64 bit CentOS 5.2 that does not allow you to permanently shut off the firewall?
--del name
The service is removed from chkconfig management, and any sym-
bolic links in /etc/rc[0-6].d which pertain to it are removed.
Note that future package installs for this service may run chk-
config --add, which will re-add such links. To disable a ser-
vice, run chkconfig name off.
The Netfilter (iptables) firewall is built into the kernel. You can stop it however, you'll always see at a minimum the following there when you run iptables -L:
The above output means it is essentially OFF and is NOT your problem because it is not blocking anything.
Have you checked your SELinux setting:
getenforce
This should show Enforcing, Permissive or Disabled. If it is Enforcing you may have a context issue somewhere. You can change enforcement level with the setenforce command.
Also RHEL5/CentOS5 have tcpwrappers built in. You might want to verify you haven't put restrictions in /etc/hosts.allow, /etc/hosts.deny that are causing your problems.
Last edited by MensaWater; 08-31-2009 at 03:32 PM.
Now with that change the next time you boot, iptables will not be enabled. Try these steps and let us know after the reboot if iptables is then showing the following:
Then if I run 'chkconfig iptables off' and then 'chkconfig --list | grep iptable'
chkconfig --list | grep iptable
iptables 0;off 1;off 2;off 3;off 4;off 5;off 6;off
I still get the same result when I run 'iptables -L'
jlightner,
I tried "chkconfig --add iptables" and "chkconfig iptables off" with no success.
It does it to me too on my 32 Bit CentOS 5.3 install when I tested just now.
However, I think I know why it did it to me and likely why it did it to you.
I'm running the Xen kernel. (uname -r shows 2.6.18-128.4.1.el5xen). You are running a Xen kernel as well according to your first post.
When I run "xm list" it shows my Dom0 (master domain) there.
In /etc/xen/scripts there are scripts that deal with iptables so I believe it is setting up iptables on the Dom0 to allow for interaction with the Xen guests (which is why you see the local LAN 192.168.x.x stuff in your iptables output).
I guess you could muck around with the scripts to disable this stuff or just live with it. If you don't intend to run Xen guests you could even downgrade to the non-xen kernel.
Last edited by MensaWater; 09-01-2009 at 11:13 AM.
Jefro,
I work in R&D for a telecom company. We do a lot of load tests with several different protocols and different third party telecom software. We often run into problems with firewalls on the servers. In this particular issue we would not start experiencing errors until quite some time in to a load test which makes it problematic to troubleshoot the firewall issue. All of our servers are behind a hardware firewall anyway so the easiest thing for us to do is to just disable the software firewall on our test boxes.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.