my changes in /etc/sysocnfig/iptables is overwritten by unknown process
Hi,
Could someone shed some light here? I stop iptables service, then edited /etc/sysconfig/iptables, commented out some rules in filter's FORWARD and nat's POSTROUTING,saved the file, then started iptables service, after i reopen the iptables file, I found it mysteriously was overwritten. seems I'm not allow to make change to this file. Thanks in advance. by the way, I'm using RHEL 6.2 + KVM Dan |
Hello,
You can put watch on your /etc/sysconfig/iptables file using auditctl command auditctl -w /etc/sysconfig/iptables -p w -k iptables-key To watch which process edited the file ausearch -k iptables-key Thanks |
Did you notice right at the top of the file:
Quote:
|
no, there is no such comment at the top of the file
only #GENERATED BY Modular IPTABLES Config
Quote:
|
thank you..... I still don't get it... which process updated it?
Quote:
Code:
time->Fri Apr 5 21:30:04 2013 |
Quote:
Code:
grep ^IPTABLES_SAVE_ON /etc/sysconfig/iptables-config |
Quote:
IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" |
OK, then try editing a copy of /etc/sysconfig/iptables (save as say /etc/sysconfig/iptables.new), then
Code:
cat /etc/sysconfig/iptables.new | iptables-restore -cvt Code:
cat /etc/sysconfig/iptables.new > /etc/sysconfig/iptables |
Quote:
|
OK. You could try forcing an error this way: add your rules to /etc/sysconfig/iptables, save, close file. Now
Code:
chattr +iu /etc/sysconfig/iptables |
Quote:
BTW, by any chance you can tell what kind of process/service guards the iptables ? I see "cp" in the auditctl output. |
As unSpawn implied, it'll cause the offending process(es) to fail and (hopefully ) log the error.
Then you can figure out what's going on. The 'cp' cmd is likely the offending overwrite cmd. |
Quote:
Thank you all. |
Quote:
|
A long time ago I started putting my own firewall setup in /etc/sysconfig/iptables.custom and changing the "IPTABLES_DATA=" line in /etc/sysconfig/iptables-config to point to that file. That way, any inadvertently run program that tries to set up a firewall can do whatever it likes to /etc/sysconfig/iptables, and it will have no effect at all.
|
All times are GMT -5. The time now is 03:56 AM. |