LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Firewall Rules get restore back original (https://www.linuxquestions.org/questions/linux-security-4/firewall-rules-get-restore-back-original-4175607458/)

Peter_APIIT 06-07-2017 07:00 AM

Firewall Rules get restore back original
 
Hi all,

I"m using Fedora 25 and i would like to harden my machine.

I had edit some rules using iptables command and save it using iptables-save command but after reboot, the firewall rules restore to original state. Why could be the reason?

Please help.

tshikose 06-07-2017 07:22 AM

Hi,

By default Fedora 25 uses firewalld.
Please share the output of
Code:

systemctl status firewalld iptables
.

dejank 06-07-2017 10:58 AM

You can find here answer how to make iptables persistent after reboot for fedora:

https://fedoraproject.org/wiki/How_t...iptables_rules

Just scroll down to the part where it says how to make changes persistent. Basically, you will use command iptables-save to dump those rules into file and iptables-restore to load rules from that file. Files should be /etc/sysconfig/iptables for IPv4 and /etc/sysconfig/ip6tables for IPv6. Then you should edit file /etc/sysconfig/iptables-config as described in that link. Also, since firewalld is default in fedora, if you want to use iptables instead, you should use with root privs:

Code:

# systemctl disable firewalld

# systemclt stop firewalld


Peter_APIIT 06-07-2017 05:23 PM

Quote:

Originally Posted by tshikose (Post 5720061)
Hi,

By default Fedora 25 uses firewalld.
Please share the output of
Code:

systemctl status firewalld iptables
.

Unit iptables.service could not be found.
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
Active: active (running) since Wed 2017-06-07 19:54:19 +08; 10h ago
Docs: man:firewalld(1)
Main PID: 1066 (firewalld)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/firewalld.service
└─1066 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Warning: Journal has been rotated since unit was started. Log output is incomple

Peter_APIIT 06-07-2017 05:28 PM

Quote:

Originally Posted by dejank (Post 5720154)
You can find here answer how to make iptables persistent after reboot for fedora:

https://fedoraproject.org/wiki/How_t...iptables_rules

Just scroll down to the part where it says how to make changes persistent. Basically, you will use command iptables-save to dump those rules into file and iptables-restore to load rules from that file. Files should be /etc/sysconfig/iptables for IPv4 and /etc/sysconfig/ip6tables for IPv6. Then you should edit file /etc/sysconfig/iptables-config as described in that link. Also, since firewalld is default in fedora, if you want to use iptables instead, you should use with root privs:

Code:

# systemctl disable firewalld

# systemclt stop firewalld


I know how to instruct iptables-save create a file with rule but how to instruct /etc/sysconfig/iptables-config read from file instead. Thanks.

dejank 06-08-2017 02:12 AM

Quote:

I know how to instruct iptables-save create a file with rule but how to instruct /etc/sysconfig/iptables-config read from file instead. Thanks.
It is explained in that link from my post:

Quote:

In the default configuration, stopping or restarting the iptables service will discard the running configuration. This behavior can be changed by setting IPTABLES_SAVE_ON_STOP="yes" or IPTABLES_SAVE_ON_RESTART="yes" in /etc/sysconfig/iptables-config. If these values are set, the affected files are:

/etc/sysconfig/iptables

for IPv4

/etc/sysconfig/ip6tables

for IPv6

tshikose 06-08-2017 05:50 AM

Quote:

Originally Posted by Peter_APIIT (Post 5720278)
Unit iptables.service could not be found.
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
Active: active (running) since Wed 2017-06-07 19:54:19 +08; 10h ago
Docs: man:firewalld(1)
Main PID: 1066 (firewalld)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/firewalld.service
└─1066 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Warning: Journal has been rotated since unit was started. Log output is incomple

That reminds me that even on RHEL version 5, iptables was not really a service.

But back to the point, it is clear that your system is using firewalld.
Why don't you just implement your rules in firewalld with the firewall-cmd command?

Peter_APIIT 06-09-2017 03:08 AM

Quote:

Originally Posted by dejank (Post 5720384)
It is explained in that link from my post:

I have read it from the link but could not understand. Please explain.

dejank 06-09-2017 04:05 AM

I do not have Fedora here to check it, but it sure looks to me like simple task of adding line, or changing it's value if it already exists:

IPTABLES_SAVE_ON_RESTART="yes"

in your

/etc/sysconfig/iptables-config

file. Can't tell for sure, it is different on Debian and Debian based distros, did not use fedora for a long time. Also, on Debian you have package called iptables-persistent, that automates persistent saving of iptables across boots. If you can't make that editing thing work, check if there is package like that on fedora.

vincix 06-09-2017 06:27 AM

You cannot use both firewalld and iptables-services at the same time. If you want your firewall to read from /etc/sysconfig/iptables or iptables-config, then you have to disable firewalld first.

iptables-save simply exports your rules into a file. If you want the rules to be persistent, you can write them directly into the cli, for instance, and then run service iptables save (/etc/sysconfig/iptables will be overwritten with the current rules). Or simply write them in /etc/sysconfig/iptables. But these files are not going to be used until you install iptables-services and disable/mask/remove (beforehand) firewalld. Then whenever the iptables service starts, it will read the rules in /etc/sysconfig/iptables.

@dejank I wonder if anyone (including native speakers or especially they) remembers the meaning of the word "its". It's become rather obscure, hasn't it?

dejank 06-09-2017 06:49 AM

Quote:

@dejank I wonder if anyone (including native speakers or especially they) remembers the meaning of the word "its". It's become rather obscure, hasn't it?
Yup, though I still use it, here and there, depending on how my fingers decide. Probably because I'm far from native English speaker :P

vincix 06-09-2017 06:52 AM

Well, l am not a native speaker either and my English is far from perfect, but I see English-speaking people (lots of native speakers, actually) using "it's" instead of "its" ALL the time :D It doesn't make any sense whatsoever! :)

Peter_APIIT 06-11-2017 10:10 PM

Quote:

Originally Posted by dejank (Post 5720880)
I do not have Fedora here to check it, but it sure looks to me like simple task of adding line, or changing it's value if it already exists:

IPTABLES_SAVE_ON_RESTART="yes"

in your

/etc/sysconfig/iptables-config

file. Can't tell for sure, it is different on Debian and Debian based distros, did not use fedora for a long time. Also, on Debian you have package called iptables-persistent, that automates persistent saving of iptables across boots. If you can't make that editing thing work, check if there is package like that on fedora.

I have enable it but still cannot resolve it. Please help.

vincix 06-11-2017 11:52 PM

Being that verbose is surely going to attract a lot of help.

tshikose 06-12-2017 01:27 AM

Dear Peter APIT,

I am following up this thread, and I still wonder why you are not giving my advice of post #7?

What kind of hardening are you trying to achieve on your Fedora 25 system that cannot be achieved with the native firewalld?


All times are GMT -5. The time now is 06:07 PM.