[SOLVED] during system startup, iptables rules not loaded from /etc/sysconfig/iptables
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
during system startup, iptables rules not loaded from /etc/sysconfig/iptables
Hi,
I have a new question regarding the iptables. I have a host system which is linux redhat enterprise 6.4, I also have a KVM installed.... I have issue with ping from KVM to outside network, and I find somehow it relates to iptables at host side. Whenever host linux reboot, I have to manually use command "service iptables restart" to flush the rules and load it from /etc/sysconfig/iptables, after that i then can ping outside network from KVM.
Right after linux reboot, command "iptables -L " shows:
... snip ....
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.123.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.123.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
...snip ...
Look at /etc/sysconfig/iptables, it shows:
# Enable forward between KVM server and virtual machines
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.123.0/24 -o virbr1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.123.0/24 -i virbr1 -j ACCEPT
-A FORWARD -i virbr1 -o virbr1 -j ACCEPT
-A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
So after "service iptables restart", the contents in /etc/sysconfig/iptables unchanged, and match "iptables -L " output:
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.123.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.123.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
How to find out which script adds the rules that not in /etc/sysconfig/iptables ?
I made some progress: right after the system startup, i used "iptables -L -v --line
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
3 0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
4 0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
6 0 0 ACCEPT all -- virbr1 virbr1 anywhere anywhere
7 0 0 REJECT all -- any virbr1 anywhere anywhere reject-with icmp-port-unreachable
8 0 0 REJECT all -- virbr1 any anywhere anywhere reject-with icmp-port-unreachable
9 0 0 ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
10 0 0 ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
11 0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
12 0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
13 0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
14 0 0 ACCEPT all -- any virbr1 anywhere 192.168.123.0/24 state RELATED,ESTABLISHED
15 0 0 ACCEPT all -- virbr1 any 192.168.123.0/24 anywhere
16 0 0 ACCEPT all -- virbr1 virbr1 anywhere anywhere
17 0 0 REJECT all -- any virbr1 anywhere anywhere reject-with icmp-port-unreachable
18 0 0 REJECT all -- virbr1 any anywhere anywhere reject-with icmp-port-unreachable
line 6,7,8 are wrong, should be like 14,15,16,17, after iptables restart, the rules on FORWARD chain:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- any virbr0 anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- virbr0 any 192.168.122.0/24 anywhere
3 0 0 ACCEPT all -- virbr0 virbr0 anywhere anywhere
4 0 0 REJECT all -- any virbr0 anywhere anywhere reject-with icmp-port-unreachable
5 0 0 REJECT all -- virbr0 any anywhere anywhere reject-with icmp-port-unreachable
6 155 27917 ACCEPT all -- any virbr1 anywhere 192.168.123.0/24 state RELATED,ESTABLISHED
7 242 55532 ACCEPT all -- virbr1 any 192.168.123.0/24 anywhere
8 0 0 ACCEPT all -- virbr1 virbr1 anywhere anywhere
9 0 0 REJECT all -- any virbr1 anywhere anywhere reject-with icmp-port-unreachable
10 0 0 REJECT all -- virbr1 any anywhere anywhere reject-with icmp-port-unreachable
Questions:
1, why duplicate rules?
2. in FORWARD chain before iptables restart, why two lines missing before line 6, there should be two lines like this:
ACCEPT all -- any virbr1 anywhere 192.168.123.0/24 state RELATED,ESTABLISHED
ACCEPT all -- virbr1 any 192.168.123.0/24 anywhere
3. can I add some debug code in somewhere to trace the problem ?
Found the problem: when I used virtual machine manager to define the network, i chose ISOLATED network, of course it didn't work, because libvirtd applied ISOLATED rules in iptables.After iptables restart, only default rules are left, the pings are thru.what a silly mistake.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
