[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: iptables has amnesia :-)

Rick Stevens wrote:
On Tue, 2007-08-21 at 06:56 -0700, Don Russell wrote:
Don Russell wrote:
Mikkel L. Ellertson wrote:
Don Russell wrote:
Mikkel L. Ellertson wrote:
If you are talking about the rules not surviving a reboot, try
running "service iptables save" and/or "service ip6tables save". If
you want the changes saved automatically, edit
/etc/sysconfig/iptables.conf and change
the same for /etc/sysconfig/ip6tables.conf.

I must have deleted a section of my message somehow before I sent it
- there should be advice about changing 2 variables, but there is
the default state of one, and the needed state of the other...
ah... that's good to know... BUT.... in neither case have I restarted
the system....

I'll have a look at that config file though and see if there are any
clues. :-)

Maybe what I need to do (as you suggest) is "service iptables save"
after adding the rules and verifying they work correctly.

(I looked at the webmin method specifically for some form of "save these
rules", but there is only "apply thse rules", which I did need to do)

Please post back what you find, as this seams to be a strange one -
the rules should not vanish on a normally running system.  Are
logging out and logging back in at the console, or bringing down an
interface, and bringing it back up between setting the rules, and
then vanishing?

IPTABLES_SAVE_ON_RESTART and IPTABLES_SAVE_ON_STOP are both set to the default value of "no".

So, I guess my question becomes, when does the firewall stop or restart?

I log on to a non-root user via ssh, then "su -"/"exit" to make the iptables changes.... I have not restarted the whole machine, nor have I restarted the iptables service.... does it restart periodically for some reason? I haven't added anything to cron etc to make that happen...

I'm not restarting the interface....

I don't see what I could have done that cause d the firewall to stop/restart....
To quote Alice.... "Curiouser and curiouser..."

This morning I can't connect to webmin again.... when I connect to my FC7 box via ssh and use iptables -L... sure enough, the two rules are gone again.... and this is AFTER I did a "'service iptables save", when I added the two rules yesterday.

#iptables -I INBOUND 13 -p tcp --dport 10000 -j ACCEPT
#iptables -I INBOUND 14 -p tcp --dport 20000 -j ACCEPT
#service iptables save
Saving firewall rules to /etc/sysconfig/iptables:    [ OK ]

The good news is... when I can't connect to webmin, I know what to look for right away and it's solved (temporarily) in a minute....

Are you sure you don't have a rootkit on there?  I don't know of a
way for the iptables to get changed except by a command being run.
If you're not doing it, it's either a cron job somewhere or a lurking
hacker.  You might want to try doing an nmap scan against the machine
and see which ports are open to see if there's a back door that
someone's using.

Well.... I "yum remove webmin" and "yum remove usermin" and my iptables rules seem pretty permanent once again.

I'll assume I did some brain-dead thing when installing webmin.... :-)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]