LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-07-2017, 08:00 AM   #1
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 582

Rep: Reputation: 31
Smile Firewall Rules get restore back original


Hi all,

I"m using Fedora 25 and i would like to harden my machine.

I had edit some rules using iptables command and save it using iptables-save command but after reboot, the firewall rules restore to original state. Why could be the reason?

Please help.
 
Old 06-07-2017, 08:22 AM   #2
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 477

Rep: Reputation: 91
Hi,

By default Fedora 25 uses firewalld.
Please share the output of
Code:
systemctl status firewalld iptables
.
 
Old 06-07-2017, 11:58 AM   #3
dejank
Member
 
Registered: May 2016
Location: Belgrade, Serbia
Distribution: Debian
Posts: 229

Rep: Reputation: Disabled
You can find here answer how to make iptables persistent after reboot for fedora:

https://fedoraproject.org/wiki/How_t...iptables_rules

Just scroll down to the part where it says how to make changes persistent. Basically, you will use command iptables-save to dump those rules into file and iptables-restore to load rules from that file. Files should be /etc/sysconfig/iptables for IPv4 and /etc/sysconfig/ip6tables for IPv6. Then you should edit file /etc/sysconfig/iptables-config as described in that link. Also, since firewalld is default in fedora, if you want to use iptables instead, you should use with root privs:

Code:
# systemctl disable firewalld

# systemclt stop firewalld
 
Old 06-07-2017, 06:23 PM   #4
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 582

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by tshikose View Post
Hi,

By default Fedora 25 uses firewalld.
Please share the output of
Code:
systemctl status firewalld iptables
.
Unit iptables.service could not be found.
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
Active: active (running) since Wed 2017-06-07 19:54:19 +08; 10h ago
Docs: man:firewalld(1)
Main PID: 1066 (firewalld)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/firewalld.service
└─1066 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Warning: Journal has been rotated since unit was started. Log output is incomple
 
Old 06-07-2017, 06:28 PM   #5
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 582

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by dejank View Post
You can find here answer how to make iptables persistent after reboot for fedora:

https://fedoraproject.org/wiki/How_t...iptables_rules

Just scroll down to the part where it says how to make changes persistent. Basically, you will use command iptables-save to dump those rules into file and iptables-restore to load rules from that file. Files should be /etc/sysconfig/iptables for IPv4 and /etc/sysconfig/ip6tables for IPv6. Then you should edit file /etc/sysconfig/iptables-config as described in that link. Also, since firewalld is default in fedora, if you want to use iptables instead, you should use with root privs:

Code:
# systemctl disable firewalld

# systemclt stop firewalld
I know how to instruct iptables-save create a file with rule but how to instruct /etc/sysconfig/iptables-config read from file instead. Thanks.
 
Old 06-08-2017, 03:12 AM   #6
dejank
Member
 
Registered: May 2016
Location: Belgrade, Serbia
Distribution: Debian
Posts: 229

Rep: Reputation: Disabled
Quote:
I know how to instruct iptables-save create a file with rule but how to instruct /etc/sysconfig/iptables-config read from file instead. Thanks.
It is explained in that link from my post:

Quote:
In the default configuration, stopping or restarting the iptables service will discard the running configuration. This behavior can be changed by setting IPTABLES_SAVE_ON_STOP="yes" or IPTABLES_SAVE_ON_RESTART="yes" in /etc/sysconfig/iptables-config. If these values are set, the affected files are:

/etc/sysconfig/iptables

for IPv4

/etc/sysconfig/ip6tables

for IPv6
 
Old 06-08-2017, 06:50 AM   #7
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 477

Rep: Reputation: 91
Quote:
Originally Posted by Peter_APIIT View Post
Unit iptables.service could not be found.
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
Active: active (running) since Wed 2017-06-07 19:54:19 +08; 10h ago
Docs: man:firewalld(1)
Main PID: 1066 (firewalld)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/firewalld.service
└─1066 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

Warning: Journal has been rotated since unit was started. Log output is incomple
That reminds me that even on RHEL version 5, iptables was not really a service.

But back to the point, it is clear that your system is using firewalld.
Why don't you just implement your rules in firewalld with the firewall-cmd command?
 
Old 06-09-2017, 04:08 AM   #8
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 582

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by dejank View Post
It is explained in that link from my post:
I have read it from the link but could not understand. Please explain.
 
Old 06-09-2017, 05:05 AM   #9
dejank
Member
 
Registered: May 2016
Location: Belgrade, Serbia
Distribution: Debian
Posts: 229

Rep: Reputation: Disabled
I do not have Fedora here to check it, but it sure looks to me like simple task of adding line, or changing it's value if it already exists:

IPTABLES_SAVE_ON_RESTART="yes"

in your

/etc/sysconfig/iptables-config

file. Can't tell for sure, it is different on Debian and Debian based distros, did not use fedora for a long time. Also, on Debian you have package called iptables-persistent, that automates persistent saving of iptables across boots. If you can't make that editing thing work, check if there is package like that on fedora.
 
Old 06-09-2017, 07:27 AM   #10
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,033

Rep: Reputation: 76
You cannot use both firewalld and iptables-services at the same time. If you want your firewall to read from /etc/sysconfig/iptables or iptables-config, then you have to disable firewalld first.

iptables-save simply exports your rules into a file. If you want the rules to be persistent, you can write them directly into the cli, for instance, and then run service iptables save (/etc/sysconfig/iptables will be overwritten with the current rules). Or simply write them in /etc/sysconfig/iptables. But these files are not going to be used until you install iptables-services and disable/mask/remove (beforehand) firewalld. Then whenever the iptables service starts, it will read the rules in /etc/sysconfig/iptables.

@dejank I wonder if anyone (including native speakers or especially they) remembers the meaning of the word "its". It's become rather obscure, hasn't it?

Last edited by vincix; 06-09-2017 at 07:57 AM.
 
Old 06-09-2017, 07:49 AM   #11
dejank
Member
 
Registered: May 2016
Location: Belgrade, Serbia
Distribution: Debian
Posts: 229

Rep: Reputation: Disabled
Quote:
@dejank I wonder if anyone (including native speakers or especially they) remembers the meaning of the word "its". It's become rather obscure, hasn't it?
Yup, though I still use it, here and there, depending on how my fingers decide. Probably because I'm far from native English speaker :P
 
Old 06-09-2017, 07:52 AM   #12
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,033

Rep: Reputation: 76
Well, l am not a native speaker either and my English is far from perfect, but I see English-speaking people (lots of native speakers, actually) using "it's" instead of "its" ALL the time It doesn't make any sense whatsoever!
 
Old 06-11-2017, 11:10 PM   #13
Peter_APIIT
Member
 
Registered: Dec 2006
Posts: 582

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by dejank View Post
I do not have Fedora here to check it, but it sure looks to me like simple task of adding line, or changing it's value if it already exists:

IPTABLES_SAVE_ON_RESTART="yes"

in your

/etc/sysconfig/iptables-config

file. Can't tell for sure, it is different on Debian and Debian based distros, did not use fedora for a long time. Also, on Debian you have package called iptables-persistent, that automates persistent saving of iptables across boots. If you can't make that editing thing work, check if there is package like that on fedora.
I have enable it but still cannot resolve it. Please help.
 
Old 06-12-2017, 12:52 AM   #14
vincix
Senior Member
 
Registered: Feb 2011
Distribution: Ubuntu, Centos
Posts: 1,033

Rep: Reputation: 76
Being that verbose is surely going to attract a lot of help.
 
Old 06-12-2017, 02:27 AM   #15
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 477

Rep: Reputation: 91
Dear Peter APIT,

I am following up this thread, and I still wonder why you are not giving my advice of post #7?

What kind of hardening are you trying to achieve on your Fedora 25 system that cannot be achieved with the native firewalld?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to restore ubuntu to original point twinscomp Linux - Newbie 8 10-21-2010 07:59 AM
restore original mbr in acer tallmtt Linux - Laptop and Netbook 5 11-04-2008 01:16 AM
How can I restore original ownerships on / manishsingh4u Slackware 10 07-11-2006 04:22 AM
How to restore the original prompt ? kronecker General 1 01-06-2006 03:32 PM
how to restore back the gnome original desktop Egyptian_Isis Linux - Newbie 2 10-31-2003 01:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration