iptables has amnesia :-)

Wed Aug 22 02:15:29 UTC 2007

Rick Stevens wrote:
> On Tue, 2007-08-21 at 06:56 -0700, Don Russell wrote:
>   
>> Don Russell wrote:
>>     
>>> Mikkel L. Ellertson wrote:
>>>       
>>>> Don Russell wrote:
>>>>  
>>>>         
>>>>> Mikkel L. Ellertson wrote:
>>>>>    
>>>>>           
>>>>>> If you are talking about the rules not surviving a reboot, try
>>>>>> running "service iptables save" and/or "service ip6tables save". If
>>>>>> you want the changes saved automatically, edit
>>>>>> /etc/sysconfig/iptables.conf and change
>>>>>> IPTABLES_SAVE_ON_RESTART="no" to  IPTABLES_SAVE_ON_STOP="yes". Do
>>>>>> the same for /etc/sysconfig/ip6tables.conf.
>>>>>>
>>>>>> Mikkel
>>>>>>         
>>>>>>             
>>>> I must have deleted a section of my message somehow before I sent it
>>>> - there should be advice about changing 2 variables, but there is
>>>> the default state of one, and the needed state of the other...
>>>>  
>>>>         
>>>>> ah... that's good to know... BUT.... in neither case have I restarted
>>>>> the system....
>>>>>
>>>>> I'll have a look at that config file though and see if there are any
>>>>> clues. :-)
>>>>>
>>>>> Maybe what I need to do (as you suggest) is "service iptables save"
>>>>> after adding the rules and verifying they work correctly.
>>>>>
>>>>> (I looked at the webmin method specifically for some form of "save 
>>>>> these
>>>>> rules", but there is only "apply thse rules", which I did need to do)
>>>>>
>>>>>     
>>>>>           
>>>> Please post back what you find, as this seams to be a strange one -
>>>> the rules should not vanish on a normally running system.  Are
>>>> logging out and logging back in at the console, or bringing down an
>>>> interface, and bringing it back up between setting the rules, and
>>>> then vanishing?
>>>>
>>>> Mikkel
>>>>   
>>>>         
>>> IPTABLES_SAVE_ON_RESTART and IPTABLES_SAVE_ON_STOP are both set to the 
>>> default value of "no".
>>>
>>> So, I guess my question becomes, when does the firewall stop or restart?
>>>
>>> I log on to a non-root user via ssh, then "su -"/"exit" to make the 
>>> iptables changes.... I have not restarted the whole machine, nor have 
>>> I restarted the iptables service.... does it restart periodically for 
>>> some reason? I haven't added anything to cron etc to make that happen...
>>>
>>> I'm not restarting the interface....
>>>
>>> I don't see what I could have done that cause d the firewall to 
>>> stop/restart....
>>>       
>> To quote Alice.... "Curiouser and curiouser..."
>>
>> This morning I can't connect to webmin again.... when I connect to my 
>> FC7 box via ssh and use iptables -L... sure enough, the two rules are 
>> gone again.... and this is AFTER I did a "'service iptables save", when 
>> I added the two rules yesterday.
>>
>> #iptables -I INBOUND 13 -p tcp --dport 10000 -j ACCEPT
>> #iptables -I INBOUND 14 -p tcp --dport 20000 -j ACCEPT
>> #service iptables save
>> Saving firewall rules to /etc/sysconfig/iptables:    [ OK ]
>>
>> The good news is... when I can't connect to webmin, I know what to look 
>> for right away and it's solved (temporarily) in a minute....
>>     
>
> Are you sure you don't have a rootkit on there?  I don't know of a
> way for the iptables to get changed except by a command being run.
> If you're not doing it, it's either a cron job somewhere or a lurking
> hacker.  You might want to try doing an nmap scan against the machine
> and see which ports are open to see if there's a back door that
> someone's using.
>   

Well.... I "yum remove webmin" and "yum remove usermin" and my iptables 
rules seem pretty permanent once again.

I'll assume I did some brain-dead thing when installing webmin.... :-)