chkconfig iptables rhel 5.6

skjelmose · 01-30-2012, 06:34 AM

Code:

Hi there,

I have a few servers where I want iptables to be disablet. But everytime the server boots iptables are startet!

[root@redhat ~]# chkconfig iptables --list
iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off

I tried the following without any luck:

chkconfig iptables off
chkconfig --level 2345 iptables off

acid_kewpie · 01-30-2012, 06:43 AM

in what way are they started? What does a "service iptables status" say? if there is no symlink in /etc/rc3.d/ (if you're on runlevel 3) to the iptables service script, then someone on your system has done something abnormal to make it run, IF it is running.

skjelmose · 01-30-2012, 06:49 AM

Hi Chris,

[root@redhat]# runlevel
N 5
[root@redhat]# ls -lrt /etc/rc5.d/ |grep iptables
lrwxrwxrwx 1 root root 18 Aug 8 11:04 K92iptables -> ../init.d/iptables

So there is a link in current runlevel - Should I remove it? isnt that the point of chkconfig?

acid_kewpie · 01-30-2012, 07:12 AM

S?? = Start
K?? = Kill

So it is NOT being started on boot. So either something else we can't really speculate on, is happening... er... something in /etc/rc.local maybe?? OR you're maybe not correct in saying the service is starting. Why do you think it is starting?

skjelmose · 01-30-2012, 07:38 AM

Code:

well im pretty clueless - just tried to reboot again.


[root@redhat rc5.d]# service iptables status
Firewall is stopped.


[root@redhat rc5.d]# chkconfig iptables --list
iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off


[root@redhat rc5.d]shutdown -r now


After reboot

[root@redhat ~]# /etc/init.d/iptables status

and yes it was started....

[root@redhat ~]# uptime
 14:32:33 up 2 min


nothing in rc.local or inittab containing iptables

acid_kewpie · 01-30-2012, 07:52 AM

Note that the iptables is NOT a service. What that service you're turning on and off is actually a distribution specific configuration wrapper for configuring iptables. starting it will flush out any existing rules and then add all rules defined in /etc/sysconfig/iptables. The netfilter modules which the iptables command interfaces with are not anything to do with this "service" version.

So when the service is still stopped, you may well still have rules in there, and "iptables -vnL" should always work unless you actually unload the netfilter modules, which you should have no reason to do.

skjelmose · 01-30-2012, 08:02 AM

Hi acid_kewpie,

So if I want to STOP iptables from starting on system boot so I dont get http Error:

Could not connect to server 10.145.5.xxx as xxxpre. port . Can't connect to MySQL server on '10.145.5.xxx' (113)

What should I do?

I am able to stop iptables after boot but I really dont want to do that after every system restart :-)

Tried to add mysql to iptables (without success)

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT

Above command didnt work - perhaps syntact error?

acid_kewpie · 01-30-2012, 08:29 AM

You'll probably have an explicit drop / reject at the bottom of the chain, so adding an Accept after it will not achieve anything.

So run "iptables -vnL", do the rules match up with /etc/sysconfig/iptables? (or is it iptables-save?) If possible, I would certainly suggest just improving the rulebase to permit the connection whilst remaining secure, but I've naturally no idea if you're running a good rulebase in the first place to fully advocate adding it in or not.

In terms of advising how to most easily add the new rule in, I would suggest editing that config file directly and restarting the iptables service. It is possible to use something like "service iptables save" to write the config file, but in terms of describing it here, it's much vaguer.