LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-31-2009, 03:24 PM   #1
quasi3
Member
 
Registered: Mar 2006
Posts: 41

Rep: Reputation: 16
Firewall will not stay disabled after reboot


CentOS 5.2 64bit
2.6.18-92.el5xen

Trying to disable the firewall on a system. The kickstart file used for install had firewall disabled.
Firewall comes up on boot.

Have tried the following commands in several different recommended orders:
chkconfig --del iptables
service iptables save
service iptables stop

Firewall still comes up on reboot.

Have manually deleted /etc/sysconfig/iptables-config
Firewall still comes up on reboot.

If I reboot to runlevel 5 and look at the status of the firewall in the OS gui it says that the firewall is disabled. But, if I check the status from the command line it is up and the software we are testing fails because it needs to be down.

Have used the same kickstart file on a few other servers without this problem however these were 32 bit.

Is there a bug with 64 bit CentOS 5.2 that does not allow you to permanently shut off the firewall?
 
Old 08-31-2009, 03:31 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
You shouldn't do "del" you should do "off":

Quote:
--del name
The service is removed from chkconfig management, and any sym-
bolic links in /etc/rc[0-6].d which pertain to it are removed.

Note that future package installs for this service may run chk-
config --add, which will re-add such links. To disable a ser-
vice, run chkconfig name off.
The Netfilter (iptables) firewall is built into the kernel. You can stop it however, you'll always see at a minimum the following there when you run iptables -L:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
The above output means it is essentially OFF and is NOT your problem because it is not blocking anything.

Have you checked your SELinux setting:
getenforce
This should show Enforcing, Permissive or Disabled. If it is Enforcing you may have a context issue somewhere. You can change enforcement level with the setenforce command.

Also RHEL5/CentOS5 have tcpwrappers built in. You might want to verify you haven't put restrictions in /etc/hosts.allow, /etc/hosts.deny that are causing your problems.

Last edited by MensaWater; 08-31-2009 at 03:32 PM.
 
Old 08-31-2009, 03:47 PM   #3
quasi3
Member
 
Registered: Mar 2006
Posts: 41

Original Poster
Rep: Reputation: 16
Have tried:
chkconfig iptables off
as well, forgot to include in the list.

getenforce shows disabled.

Nothing in hosts.allow or hosts.deny

Last edited by quasi3; 08-31-2009 at 03:56 PM.
 
Old 08-31-2009, 03:52 PM   #4
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
What do you see when you run "iptables -L"?
 
Old 08-31-2009, 04:12 PM   #5
quasi3
Member
 
Registered: Mar 2006
Posts: 41

Original Poster
Rep: Reputation: 16
Before reboot:
iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination





After reboot:
iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Last edited by quasi3; 08-31-2009 at 04:14 PM.
 
Old 08-31-2009, 04:35 PM   #6
fordeck
Member
 
Registered: Oct 2006
Location: Utah
Posts: 520

Rep: Reputation: 61
So if you run the following command:

Code:
[root@fs2 ~]# chkconfig --list | grep iptable
iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
The above output shows that in runlevels 2-5 iptables is on. If you then run the following command:

Code:
chkconfig iptables off
Then check it again

Code:
[root@fs2 ~]# chkconfig --list | grep iptable
iptables       	0:off	1:off	2:off	3:off	4:off	5:off	6:off
Now with that change the next time you boot, iptables will not be enabled. Try these steps and let us know after the reboot if iptables is then showing the following:


Code:
[root@fs2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Regards,

Fordeck
 
Old 09-01-2009, 08:08 AM   #7
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
Since it's built into the kernel running the the delete might be your issue.

Try running "chkconfig --add iptables" to add it back then run the "chkconfig iptables off" to turn it off in all run levels.
 
Old 09-01-2009, 10:09 AM   #8
quasi3
Member
 
Registered: Mar 2006
Posts: 41

Original Poster
Rep: Reputation: 16
As it turns out I'm seeing this behavior on some other machines including 32bit CentOS 5.2 so that theory gone.

fordeck,
Immediately after reboot if I run 'chkconfig --list | grep iptable':

chkconfig --list | grep iptable
iptables 0;off 1;off 2;off 3;off 4;off 5;off 6;off

If I then run 'iptables -L':
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


Then if I run 'chkconfig iptables off' and then 'chkconfig --list | grep iptable'
chkconfig --list | grep iptable
iptables 0;off 1;off 2;off 3;off 4;off 5;off 6;off

I still get the same result when I run 'iptables -L'



jlightner,
I tried "chkconfig --add iptables" and "chkconfig iptables off" with no success.
 
Old 09-01-2009, 11:11 AM   #9
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
It does it to me too on my 32 Bit CentOS 5.3 install when I tested just now.

However, I think I know why it did it to me and likely why it did it to you.

I'm running the Xen kernel. (uname -r shows 2.6.18-128.4.1.el5xen). You are running a Xen kernel as well according to your first post.

When I run "xm list" it shows my Dom0 (master domain) there.

In /etc/xen/scripts there are scripts that deal with iptables so I believe it is setting up iptables on the Dom0 to allow for interaction with the Xen guests (which is why you see the local LAN 192.168.x.x stuff in your iptables output).

I guess you could muck around with the scripts to disable this stuff or just live with it. If you don't intend to run Xen guests you could even downgrade to the non-xen kernel.

Last edited by MensaWater; 09-01-2009 at 11:13 AM.
 
Old 09-01-2009, 03:52 PM   #10
quasi3
Member
 
Registered: Mar 2006
Posts: 41

Original Poster
Rep: Reputation: 16
Xen issue got me on the right track. It was actually libvirtd.

ran:
'yum erase libvirt'

Fixed issue.
Probably could have just disabled it. But had a previous issue with libvirt so dont need it.

Thanks for all your input.

Last edited by quasi3; 09-01-2009 at 03:54 PM.
 
Old 09-01-2009, 04:02 PM   #11
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
That's it. Thanks for posting your resolution.

There is a libvirtd service in /etc/init.d.

When I stop iptables and libvirtd then restart libvirtd (service libvertd start) It populated iptables so is clearly the culprit.

So running "chkconfig libvirtd off" (and chkconfig iptables off) would probably have resolved your issue.
 
Old 09-01-2009, 05:25 PM   #12
jefro
Moderator
 
Registered: Mar 2008
Posts: 20,851

Rep: Reputation: 3383Reputation: 3383Reputation: 3383Reputation: 3383Reputation: 3383Reputation: 3383Reputation: 3383Reputation: 3383Reputation: 3383Reputation: 3383Reputation: 3383
Why would you turn off firewall?
 
Old 09-01-2009, 10:40 PM   #13
quasi3
Member
 
Registered: Mar 2006
Posts: 41

Original Poster
Rep: Reputation: 16
Jefro,
I work in R&D for a telecom company. We do a lot of load tests with several different protocols and different third party telecom software. We often run into problems with firewalls on the servers. In this particular issue we would not start experiencing errors until quite some time in to a load test which makes it problematic to troubleshoot the firewall issue. All of our servers are behind a hardware firewall anyway so the easiest thing for us to do is to just disable the software firewall on our test boxes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Ports closed even after firewall disabled LinuxLala Linux - Networking 14 11-17-2008 02:18 PM
Fedora 8 GL Desktop Effects disabled after reboot or logout cpcfreak Linux - Newbie 6 10-06-2008 08:57 AM
Plasma Widgets in kde 4.1 will not stay where i put them after reboot. vince.fyre Linux - Software 1 08-04-2008 04:02 AM
wireless connection doesn't stay active after reboot sublyme718 Linux - Wireless Networking 1 11-07-2005 09:34 PM
tcp_sack disabled after reboot netcrawl Slackware 0 01-27-2004 01:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 03:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration