GUI iptables "apply" differes from boot config - iptables config files load order?

[anocelot]

Hi everyone,

Short version:
When I boot my fedora 9 server, "iptables --list" gives me one set of rules. If I login to the command line and run "service iptables restart" the rules still do not work. If I login to the GUI, though, run the firewall application and chose: "Stop, Start, Apply" I get a different set of rules (which work fine!).

More info:
I have some virtual servers that are running on aliased ethernet devices. My iptables script is forwarding requests from three aliases (eth0:0 - eth0:2) to the appropriate virtual machine.

The "new" set of rules I get when I run the gui firewall apply script *DO* give me the results I want, but I *really* don't want to have to login to the gui in order to get the correct rules.

Has anyone run across something similar, and can you offer any suggestions?

TIA!

[vallimar]

I don't use the iptables "service" or system-config-firewall stuff as I find them lacking, so I could very well be wrong, but it's possible when you are doing a restart, it's just re-loading the saved iptables tables that it writes to a file. Looking through /etc/rc.d/init.d/iptables -- it appears to do just that. However, if you have the IPTABLES_SAVE_ON_STOP config variable set (from /etc/sysconfig/iptables-config), then it will save your current rules on stop (to /etc/sysconfig/iptables), then blank everything and re-load those rules. The default setting for this config variable is "no", meaning when you make rules changes, you have to manually do a "service iptables save" if you want them restored next time. Setting that variable to "yes" will auto-save changes. From what it sounds like, you need to either set that variable, or remember to manually save when tweaking your rules.

[Evil_Bert]

To amplify what vallimar says, the initial iptables script run at boot time is stored in file /etc/sysconfig/iptables (in "iptables-save" format) and an associated set of parameters in /etc/sysconfig/iptables-config.

I'm pretty sure that if you apply (by clicking the Apply button) the rules created in the GUI firewall application (system-config-firewall), those rules are indeed saved to /etc/sysconfig/iptables. I've tested this in F8 - I can't see why it would be different in F9 (it's the same package - based on Lokkit). But, for some unknown reason, the rules are not being saved in your case.

As you probably know, rules can be altered or overwritten at any time using the "iptables" command. Thus, the active rules and saved rules (in /etc/sysconfig/iptables) may not be the same.

Rather than play with the init variables, IMHO, it's better to manually issue the command to save active rules (in iptables-save format) to /etc/sysconfig/iptables:

Code:

service iptables save

or to another file:

Code:

iptables-save > {path}/{filename}

When iptables has been correctly configured in your GUI and rules applied, save using one of the above methods and make a backup copy. (If you replace the originals with the backups, remember to check permissions and SELinux context).

You can verify your saved rules against active rules using:

Code:

iptables -L -n -v

The resulting printout is the active rule set (but it is not in iptables-save format and cannot be used as a script).

You could also use the following (perhaps from within another startup script) to overwrite the current ruleset from a file contaiing your desired rules (in iptables-save format):

Code:

iptables-restore < {path}/{filename}
service iptables restart

Hopefully, this will give you some options to fix the problem.

[marcrblevins]

Damn Bert, make that sticky! Well thought out.