|
Firewall Rules get restore back original
Hi all,
I"m using Fedora 25 and i would like to harden my machine. I had edit some rules using iptables command and save it using iptables-save command but after reboot, the firewall rules restore to original state. Why could be the reason? Please help. |
Hi,
By default Fedora 25 uses firewalld. Please share the output of Code:
systemctl status firewalld iptables |
You can find here answer how to make iptables persistent after reboot for fedora:
https://fedoraproject.org/wiki/How_t...iptables_rules Just scroll down to the part where it says how to make changes persistent. Basically, you will use command iptables-save to dump those rules into file and iptables-restore to load rules from that file. Files should be /etc/sysconfig/iptables for IPv4 and /etc/sysconfig/ip6tables for IPv6. Then you should edit file /etc/sysconfig/iptables-config as described in that link. Also, since firewalld is default in fedora, if you want to use iptables instead, you should use with root privs: Code:
# systemctl disable firewalld |
Quote:
● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr Active: active (running) since Wed 2017-06-07 19:54:19 +08; 10h ago Docs: man:firewalld(1) Main PID: 1066 (firewalld) Tasks: 2 (limit: 4915) CGroup: /system.slice/firewalld.service └─1066 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid Warning: Journal has been rotated since unit was started. Log output is incomple |
Quote:
|
Quote:
Quote:
|
Quote:
But back to the point, it is clear that your system is using firewalld. Why don't you just implement your rules in firewalld with the firewall-cmd command? |
Quote:
|
I do not have Fedora here to check it, but it sure looks to me like simple task of adding line, or changing it's value if it already exists:
IPTABLES_SAVE_ON_RESTART="yes" in your /etc/sysconfig/iptables-config file. Can't tell for sure, it is different on Debian and Debian based distros, did not use fedora for a long time. Also, on Debian you have package called iptables-persistent, that automates persistent saving of iptables across boots. If you can't make that editing thing work, check if there is package like that on fedora. |
You cannot use both firewalld and iptables-services at the same time. If you want your firewall to read from /etc/sysconfig/iptables or iptables-config, then you have to disable firewalld first.
iptables-save simply exports your rules into a file. If you want the rules to be persistent, you can write them directly into the cli, for instance, and then run service iptables save (/etc/sysconfig/iptables will be overwritten with the current rules). Or simply write them in /etc/sysconfig/iptables. But these files are not going to be used until you install iptables-services and disable/mask/remove (beforehand) firewalld. Then whenever the iptables service starts, it will read the rules in /etc/sysconfig/iptables. @dejank I wonder if anyone (including native speakers or especially they) remembers the meaning of the word "its". It's become rather obscure, hasn't it? |
Quote:
|
Well, l am not a native speaker either and my English is far from perfect, but I see English-speaking people (lots of native speakers, actually) using "it's" instead of "its" ALL the time :D It doesn't make any sense whatsoever! :)
|
Quote:
|
Being that verbose is surely going to attract a lot of help.
|
Dear Peter APIT,
I am following up this thread, and I still wonder why you are not giving my advice of post #7? What kind of hardening are you trying to achieve on your Fedora 25 system that cannot be achieved with the native firewalld? |
| All times are GMT -5. The time now is 03:52 PM. |