LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices


Reply
  Search this Thread
Old 12-27-2006, 03:20 AM   #1
PhillipHuang
Member
 
Registered: Aug 2006
Location: Shen Zhen
Distribution: Ubuntu 10.04
Posts: 198

Rep: Reputation: 33
iptables is stopped


When I configure the Firewall as the subsequence:
# iptables -A INPUT -s 192.168.123.32 -J REJECT

I find the iptables service is starting automatically,since the firewall was shutdown before.
Now, I try to stop this iptables service:
# service iptables stop
Every entry displayes "OK". but when start the iptables service again:
# service iptables start
Not any status appear. I had to check the service status again:
# service iptables stauts
Firewall is stopped

At this point, it seems that I could not start the Firewall again. After repeat "iptables -L", what I've configured to block 192.168.123.32 is disappeared! and "# service iptables status" says more information about the Firewall is running again.

I'm confused by this issue, as a newbie for Linux security. Would you please give me some advice?

Thanks in advance.
Phillip
 
Old 12-27-2006, 03:29 PM   #2
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,397
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
Iptables is both a kernel module that does network packet filtering and a userland program to query and set the state of the kernel module rules. In your case, it is apparently also a system 'service'. As a kernel module, it is always 'on'. Your 'service' is simply a script that pushes configuation rules into iptables, to make it behave in various different ways. In this sense only, it may have a status of 'Started' or 'Stopped'. You can query the state of iptables independently, as you have done. You can also add or remove rules independently. Running the service script will probably undo any rules that you add independently. I suggest that you examine the script that runs as a service, and try to determine what the 'stop', 'start', and possibly 'restart' functions are actually doing. Perhaps you will want to post some code fragments from it, here, for explanation.

--- rod.

Last edited by theNbomr; 12-27-2006 at 03:31 PM.
 
Old 12-28-2006, 12:58 AM   #3
PhillipHuang
Member
 
Registered: Aug 2006
Location: Shen Zhen
Distribution: Ubuntu 10.04
Posts: 198

Original Poster
Rep: Reputation: 33
Rod, thanks for your mention,I've gotten the answer by RedHat iptables manual. The iptables chains is only active when the service is "start", if reboot or logout, these chains will be cleared and reseted automatically. In order to save the rules, execute "service iptables save", then the existed rules will be implemented as srevice starts up. That's why there's no [OK] information in my earlier "servce iptables start|stop". I paste both the previous testing and fixing steps here for deferring.

The previous testing:
Code:
[root@Linux root]# service iptables status
Firewall is stopped.
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@Linux root]# iptables -A INPUT -s 192.168.123.33 -j REJECT
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  192.168.123.33       anywhere           reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@Linux root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  192.168.123.33       anywhere           reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
[root@Linux root]# service iptables status
Firewall is stopped.
[root@Linux root]# service iptables start
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@Linux root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Fixed this issue:
Code:
[root@Linux root]# iptables -A INPUT -s 192.168.123.33 -j REJECT
[root@Linux root]# service iptables
Usage: /etc/init.d/iptables {start|stop|restart|condrestart|status|panic|save}
[root@Linux root]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
Applying iptables firewall rules: [  OK  ]
[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
Applying iptables firewall rules: [  OK  ]

Regards,
Phillip
 
Old 06-25-2009, 04:09 PM   #4
hendrytjen
LQ Newbie
 
Registered: Dec 2007
Posts: 6

Rep: Reputation: 0
Thumbs up

Quote:
Originally Posted by PhillipHuang View Post
Rod, thanks for your mention,I've gotten the answer by RedHat iptables manual. The iptables chains is only active when the service is "start", if reboot or logout, these chains will be cleared and reseted automatically. In order to save the rules, execute "service iptables save", then the existed rules will be implemented as srevice starts up. That's why there's no [OK] information in my earlier "servce iptables start|stop". I paste both the previous testing and fixing steps here for deferring.

The previous testing:
Code:
[root@Linux root]# service iptables status
Firewall is stopped.
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@Linux root]# iptables -A INPUT -s 192.168.123.33 -j REJECT
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  192.168.123.33       anywhere           reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@Linux root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  192.168.123.33       anywhere           reject-with icmp-port-unreachable 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
[root@Linux root]# service iptables status
Firewall is stopped.
[root@Linux root]# service iptables start
[root@Linux root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@Linux root]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Fixed this issue:
Code:
[root@Linux root]# iptables -A INPUT -s 192.168.123.33 -j REJECT
[root@Linux root]# service iptables
Usage: /etc/init.d/iptables {start|stop|restart|condrestart|status|panic|save}
[root@Linux root]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [  OK  ]
[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
Applying iptables firewall rules: [  OK  ]
[root@Linux root]# service iptables stop
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: filter [  OK  ]
Unloading iptables modules: [  OK  ]
[root@Linux root]# service iptables start
Applying iptables firewall rules: [  OK  ]

Regards,
Phillip
Hi Phillip, you post is very helpful for me, just like a candle in the darkest night.
Thank you.......
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 06:25 AM
Printer? How resume Jobs if Printer Stopped: jobs stopped? Reluctant Linux - General 0 06-03-2006 02:36 PM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat

All times are GMT -5. The time now is 04:22 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration