Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
08-31-2009, 03:24 PM
|
#1
|
Member
Registered: Mar 2006
Posts: 41
Rep:
|
Firewall will not stay disabled after reboot
CentOS 5.2 64bit
2.6.18-92.el5xen
Trying to disable the firewall on a system. The kickstart file used for install had firewall disabled.
Firewall comes up on boot.
Have tried the following commands in several different recommended orders:
chkconfig --del iptables
service iptables save
service iptables stop
Firewall still comes up on reboot.
Have manually deleted /etc/sysconfig/iptables-config
Firewall still comes up on reboot.
If I reboot to runlevel 5 and look at the status of the firewall in the OS gui it says that the firewall is disabled. But, if I check the status from the command line it is up and the software we are testing fails because it needs to be down.
Have used the same kickstart file on a few other servers without this problem however these were 32 bit.
Is there a bug with 64 bit CentOS 5.2 that does not allow you to permanently shut off the firewall?
|
|
|
08-31-2009, 03:31 PM
|
#2
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
You shouldn't do "del" you should do "off":
Quote:
--del name
The service is removed from chkconfig management, and any sym-
bolic links in /etc/rc[0-6].d which pertain to it are removed.
Note that future package installs for this service may run chk-
config --add, which will re-add such links. To disable a ser-
vice, run chkconfig name off.
|
The Netfilter (iptables) firewall is built into the kernel. You can stop it however, you'll always see at a minimum the following there when you run iptables -L:
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
The above output means it is essentially OFF and is NOT your problem because it is not blocking anything.
Have you checked your SELinux setting:
getenforce
This should show Enforcing, Permissive or Disabled. If it is Enforcing you may have a context issue somewhere. You can change enforcement level with the setenforce command.
Also RHEL5/CentOS5 have tcpwrappers built in. You might want to verify you haven't put restrictions in /etc/hosts.allow, /etc/hosts.deny that are causing your problems.
Last edited by MensaWater; 08-31-2009 at 03:32 PM.
|
|
|
08-31-2009, 03:47 PM
|
#3
|
Member
Registered: Mar 2006
Posts: 41
Original Poster
Rep:
|
Have tried:
chkconfig iptables off
as well, forgot to include in the list.
getenforce shows disabled.
Nothing in hosts.allow or hosts.deny
Last edited by quasi3; 08-31-2009 at 03:56 PM.
|
|
|
08-31-2009, 03:52 PM
|
#4
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
What do you see when you run "iptables -L"?
|
|
|
08-31-2009, 04:12 PM
|
#5
|
Member
Registered: Mar 2006
Posts: 41
Original Poster
Rep:
|
Before reboot:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
After reboot:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Last edited by quasi3; 08-31-2009 at 04:14 PM.
|
|
|
08-31-2009, 04:35 PM
|
#6
|
Member
Registered: Oct 2006
Location: Utah
Posts: 520
Rep:
|
So if you run the following command:
Code:
[root@fs2 ~]# chkconfig --list | grep iptable
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
The above output shows that in runlevels 2-5 iptables is on. If you then run the following command:
Code:
chkconfig iptables off
Then check it again
Code:
[root@fs2 ~]# chkconfig --list | grep iptable
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Now with that change the next time you boot, iptables will not be enabled. Try these steps and let us know after the reboot if iptables is then showing the following:
Code:
[root@fs2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Regards,
Fordeck
|
|
|
09-01-2009, 08:08 AM
|
#7
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
Since it's built into the kernel running the the delete might be your issue.
Try running "chkconfig --add iptables" to add it back then run the "chkconfig iptables off" to turn it off in all run levels.
|
|
|
09-01-2009, 10:09 AM
|
#8
|
Member
Registered: Mar 2006
Posts: 41
Original Poster
Rep:
|
As it turns out I'm seeing this behavior on some other machines including 32bit CentOS 5.2 so that theory gone.
fordeck,
Immediately after reboot if I run 'chkconfig --list | grep iptable':
chkconfig --list | grep iptable
iptables 0;off 1;off 2;off 3;off 4;off 5;off 6;off
If I then run 'iptables -L':
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Then if I run 'chkconfig iptables off' and then 'chkconfig --list | grep iptable'
chkconfig --list | grep iptable
iptables 0;off 1;off 2;off 3;off 4;off 5;off 6;off
I still get the same result when I run 'iptables -L'
jlightner,
I tried "chkconfig --add iptables" and "chkconfig iptables off" with no success.
|
|
|
09-01-2009, 11:11 AM
|
#9
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
It does it to me too on my 32 Bit CentOS 5.3 install when I tested just now.
However, I think I know why it did it to me and likely why it did it to you.
I'm running the Xen kernel. (uname -r shows 2.6.18-128.4.1.el5xen). You are running a Xen kernel as well according to your first post.
When I run "xm list" it shows my Dom0 (master domain) there.
In /etc/xen/scripts there are scripts that deal with iptables so I believe it is setting up iptables on the Dom0 to allow for interaction with the Xen guests (which is why you see the local LAN 192.168.x.x stuff in your iptables output).
I guess you could muck around with the scripts to disable this stuff or just live with it. If you don't intend to run Xen guests you could even downgrade to the non-xen kernel.
Last edited by MensaWater; 09-01-2009 at 11:13 AM.
|
|
|
09-01-2009, 03:52 PM
|
#10
|
Member
Registered: Mar 2006
Posts: 41
Original Poster
Rep:
|
Xen issue got me on the right track. It was actually libvirtd.
ran:
'yum erase libvirt'
Fixed issue.
Probably could have just disabled it. But had a previous issue with libvirt so dont need it.
Thanks for all your input.
Last edited by quasi3; 09-01-2009 at 03:54 PM.
|
|
|
09-01-2009, 04:02 PM
|
#11
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
That's it. Thanks for posting your resolution.
There is a libvirtd service in /etc/init.d.
When I stop iptables and libvirtd then restart libvirtd (service libvertd start) It populated iptables so is clearly the culprit.
So running "chkconfig libvirtd off" (and chkconfig iptables off) would probably have resolved your issue.
|
|
|
09-01-2009, 05:25 PM
|
#12
|
Moderator
Registered: Mar 2008
Posts: 22,361
|
Why would you turn off firewall?
|
|
|
09-01-2009, 10:40 PM
|
#13
|
Member
Registered: Mar 2006
Posts: 41
Original Poster
Rep:
|
Jefro,
I work in R&D for a telecom company. We do a lot of load tests with several different protocols and different third party telecom software. We often run into problems with firewalls on the servers. In this particular issue we would not start experiencing errors until quite some time in to a load test which makes it problematic to troubleshoot the firewall issue. All of our servers are behind a hardware firewall anyway so the easiest thing for us to do is to just disable the software firewall on our test boxes.
|
|
|
All times are GMT -5. The time now is 02:27 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|