LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Red Hat (https://www.linuxquestions.org/questions/red-hat-31/)
-   -   iptables is stopped (https://www.linuxquestions.org/questions/red-hat-31/iptables-is-stopped-513966/)

PhillipHuang 12-27-2006 02:20 AM
iptables is stopped
 
When I configure the Firewall as the subsequence:
# iptables -A INPUT -s 192.168.123.32 -J REJECT

I find the iptables service is starting automatically,since the firewall was shutdown before.
Now, I try to stop this iptables service:
# service iptables stop
Every entry displayes "OK". but when start the iptables service again:
# service iptables start
Not any status appear. I had to check the service status again:
# service iptables stauts
Firewall is stopped

At this point, it seems that I could not start the Firewall again. After repeat "iptables -L", what I've configured to block 192.168.123.32 is disappeared! and "# service iptables status" says more information about the Firewall is running again.

I'm confused by this issue, as a newbie for Linux security. Would you please give me some advice?

Thanks in advance.
Phillip

theNbomr 12-27-2006 02:29 PM
Iptables is both a kernel module that does network packet filtering and a userland program to query and set the state of the kernel module rules. In your case, it is apparently also a system 'service'. As a kernel module, it is always 'on'. Your 'service' is simply a script that pushes configuation rules into iptables, to make it behave in various different ways. In this sense only, it may have a status of 'Started' or 'Stopped'. You can query the state of iptables independently, as you have done. You can also add or remove rules independently. Running the service script will probably undo any rules that you add independently. I suggest that you examine the script that runs as a service, and try to determine what the 'stop', 'start', and possibly 'restart' functions are actually doing. Perhaps you will want to post some code fragments from it, here, for explanation.

--- rod.

PhillipHuang 12-27-2006 11:58 PM
Rod, thanks for your mention,I've gotten the answer by RedHat iptables manual. The iptables chains is only active when the service is "start", if reboot or logout, these chains will be cleared and reseted automatically. In order to save the rules, execute "service iptables save", then the existed rules will be implemented as srevice starts up. That's why there's no [OK] information in my earlier "servce iptables start|stop". I paste both the previous testing and fixing steps here for deferring.

The previous testing:
Code:
[root@Linux root]# service iptables status
Firewall is stopped.
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
[root@Linux root]# iptables -A INPUT -s 192.168.123.33 -j REJECT
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
REJECT    all  --  192.168.123.33      anywhere          reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
[root@Linux root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
REJECT    all  --  192.168.123.33      anywhere          reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       

[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
[root@Linux root]# service iptables status
Firewall is stopped.
[root@Linux root]# service iptables start
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
[root@Linux root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
Fixed this issue:
Code:
[root@Linux root]# iptables -A INPUT -s 192.168.123.33 -j REJECT
[root@Linux root]# service iptables
Usage: /etc/init.d/iptables {start|stop|restart|condrestart|status|panic|save}
[root@Linux root]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
Applying iptables firewall rules: [  OK  ]
[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
Applying iptables firewall rules: [  OK  ]

Regards,
Phillip

hendrytjen 06-25-2009 03:09 PM
Quote:
Originally Posted by PhillipHuang (Post 2560935)
Rod, thanks for your mention,I've gotten the answer by RedHat iptables manual. The iptables chains is only active when the service is "start", if reboot or logout, these chains will be cleared and reseted automatically. In order to save the rules, execute "service iptables save", then the existed rules will be implemented as srevice starts up. That's why there's no [OK] information in my earlier "servce iptables start|stop". I paste both the previous testing and fixing steps here for deferring.

The previous testing:
Code:
[root@Linux root]# service iptables status
Firewall is stopped.
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
[root@Linux root]# iptables -A INPUT -s 192.168.123.33 -j REJECT
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
REJECT    all  --  192.168.123.33      anywhere          reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
[root@Linux root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
REJECT    all  --  192.168.123.33      anywhere          reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       

[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
[root@Linux root]# service iptables status
Firewall is stopped.
[root@Linux root]# service iptables start
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
[root@Linux root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
Fixed this issue:
Code:
[root@Linux root]# iptables -A INPUT -s 192.168.123.33 -j REJECT
[root@Linux root]# service iptables
Usage: /etc/init.d/iptables {start|stop|restart|condrestart|status|panic|save}
[root@Linux root]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
Applying iptables firewall rules: [  OK  ]
[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
Applying iptables firewall rules: [  OK  ]

Regards,
Phillip
Hi Phillip, you post is very helpful for me, just like a candle in the darkest night.
Thank you.......


All times are GMT -5. The time now is 01:12 AM.