HELP!!??

So I have a situation where upon system boot my iptables rules are not being loaded at all. I am using FC6 and use the default /etc/sysconfig/iptables file to store my rules. I have chkconfig set to load iptables at init 3 (my default run level). Iptables DOES start, however no rules are populated.

This only happens when I include domain names in the /etc/sysconfig/iptables file i.e. :

-A INPUT -s DOMAIN.COM -p tcp -m multiport --dport 22,993 -j ACCEPT

BUT, if instead of domain.com I use an IP address then all the rules are loaded properly verse none at all when I use a domain name.

Does IPTABLES not support using domain names in the ruleset, or is there a way to make this work? Also, I can just do a "service iptables restart" and everything works fine. It just doesn't work on boot!!?!!!

I don't know why this thing with domains is messing it all.

However, I know a solution for your problem. You can build a shell script and put it into your /etc/init.d/


This link might be helpful:

http://wiki.linuxquestions.org/wiki/..._a_gateway/nat


Please let us know if your problem is now solved (or not).

Thanks for the quick response! Well, I went ahead and placed a line in my /etc/rc.local like such:
/sbin/service iptables restart

This works fine, but it's a hack and shouldn't have to be done. Plus, if my server reboots it is unprotected till this service restart is performed. Not really an issue since it happens so quickly. However, it is a bad security practice to start the network and have all the services listening before applying my firewall.

I think iptables is being loaded before name resolution works and this is causing it to kinda fail. It just doesn't seem like this problem should exist.

rc.local is always the last script to be loaded at the boot.


If you want that your iptables rules starts before the services, you can do exactly what I said, to build a proper script with firewall rules inside. It works very well for me.

You could change iptables to start right after the network interface is up. Just browse the /etc/rc3.d directory and create a new iptables link with lower priority (just below the interface-scripts priority). I'm not sure what happens if Fedora updates the iptables-package... you _might_ have to do the relinking again.

cool, good call. This worked perfectly, I rebooted and voila. I guess with fqdn's in the ruleset the network script needs to load so they can be resolved. Placing it directly after the network script is as good a solution as virtually possible!

cd /etc/rc.d/rc3.d/
mv S08iptables S11iptables

lrwxrwxrwx 1 root root 17 Apr 24 23:25 S10network -> ../init.d/network
lrwxrwxrwx 1 root root 21 Apr 10 18:48 S10restorecond -> ../init.d/restorecond
lrwxrwxrwx 1 root root 18 May 8 19:52 S11iptables -> ../init.d/iptables

There is a reason that iptables starts before bringing the network up: to allow no chance for your box to be cracked through the network while it's unprotected.

A better plan, if you must add rules after the net interface is bought up, is to split the iptables rules into 2 scripts: one that runs before /init.d/network, & another that runs after. You should at least replace S08iptables w/ a link to a new (very simple) script that locks down the box during the process of getting the network up. Google on "Oskar Andreasson" to find a really good iptables tutorial.

Few months ago i bump into this mail:
http://lists.centos.org/pipermail/ce...ly/066819.html

Oded.