Centos6: save iptables configuration
I'm trying to setup a Centos 6 webserver. I've found a manual how to configure iptables, which ends with saving:
/sbin/service iptables save
Then I reboot the system, and all changes have disappeared. When I restart iptables, I get the following message:
iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter
How can I get this working?
/sbin/service iptables save
Then I reboot the system, and all changes have disappeared. When I restart iptables, I get the following message:
iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter
How can I get this working?
root@www01 ~]# iptables -L -v
Chain INPUT (policy DROP 4 packets, 752 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
70 5056 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 42 packets, 5104 bytes)
pkts bytes target prot opt in out source destination
[root@www01 ~]# /sbin/service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
######### ##### ###### #########
######### AFTER REBOOT #########
######### ##### ###### #########
[root@www01 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 53 packets, 7140 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 50 packets, 5269 bytes)
pkts bytes target prot opt in out source destination
######### ######## ####### #########
######### IPTABLES RESTART #########
######### ######## ####### #########
[root@www01 ~]# /sbin/service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think the issue is that you added an invalid rule that threw the whole thing into a mess.
Do not have centos 6 to check/compare the iptables to what you have.
Are you configuring your Centos 6 as a router?
The error seems to deal with raw and nat definitons.
INPUT and FORWARD are not VALID chains in NAT.
PREROUTING, POSTROUTING, and OUTPUT are the states/chains in NAT.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
Do not have centos 6 to check/compare the iptables to what you have.
Are you configuring your Centos 6 as a router?
The error seems to deal with raw and nat definitons.
INPUT and FORWARD are not VALID chains in NAT.
PREROUTING, POSTROUTING, and OUTPUT are the states/chains in NAT.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is a virtual machine that I've just setup, and I thought Centos would be the best choice for a server, and maybe it is, but maybe not for me. The fact is that I'm much more familiar with Ubuntu - which I've used as my desktop for about two years. I see that many things are different, not just this. So I think it's time to cut my losses and destroy this vm, and start over with an Ubuntu LTS server.
Did you try to alter the way iptables deploy in the same way you would have done with ubuntu without the sfw installed?
I.e. did you modify /create iptables.rel and are trying to load it instead of the existing iptables rules?
What modifications did you make prior to saving it?
turn off iptables.
backup the existing /etc/sysconfig/iptables fle
remove the :INPUT from line 17 in http:#a37382302
and see if you can start iptables.
Not sure you actually need the *raw
But we can deal with that in the same manner if iptables do not start.
I.e. did you modify /create iptables.rel and are trying to load it instead of the existing iptables rules?
What modifications did you make prior to saving it?
turn off iptables.
backup the existing /etc/sysconfig/iptables fle
remove the :INPUT from line 17 in http:#a37382302
and see if you can start iptables.
Not sure you actually need the *raw
But we can deal with that in the same manner if iptables do not start.
This is a virtual machine that I've just setup, and I thought Centos would be the best choice for a server, and maybe it is, but maybe not for me. The fact is that I'm much more familiar with Ubuntu - which I've used as my desktop for about two years. I see that many things are different, not just this. So I think it's time to cut my losses and destroy this vm, and start over with an Ubuntu LTS server.
CentOS _is_ the better choice for a server environment, and Ubuntu a far better choice for a desktop IMO.
Yes, there are differences, but honestly, the more different duckling of the two is Ubuntu. It and Debian alone are the only two mainstream distributions which use Aptitude. On the other hand, the RPM package management system used by CentOS is used by RHEL, Fedora, Mandrake, SuSE, etc. I think if you stick with CentOS, you'll develop knowledge will give you a much broader base of options to choose from down the road. But that is another discussion for perhaps another question - you're using Linux, which is the best of the best, so you can't go too far wrong - best of luck.
I agree heavily with xterm. Plus, you are manipulating iptables on Ubuntu with sfw. If your goal is to learn, it's much better to learn what's actually going on rather than use a dumbed-down interface to get the job done. Otherwise, why even move from Microsoft? Just my humble .02.
To compare apples to apples, dpkg is the package manager in the debian/ubuntu environment which is what rpm is.
aptitude on debian/ubuntu has yum as its equivalent in the centos/rhel etc.
use what you are comfortable with. The major difference Centos/RHEL and Debian/Ubuntu deals with updates. RHEL/Centos updates only minor versions including security patches/updates.
i.e. if you start with version x of an application, updates will maintain the x verson while minor/micro versions will be changed depending on the application. This ensures if you have your own custom application that rely on a specific compiler version, library, they will no break as long as you are on the same OS major version i.e. RHEL 5.x
While in the others, packages are update accross version and might lead to a custom application to break i.e. it loads a shared library where the function it needs has been deprecated/eliminated/repl
Which would require a recode/recompilation to get the application working again.
aptitude on debian/ubuntu has yum as its equivalent in the centos/rhel etc.
use what you are comfortable with. The major difference Centos/RHEL and Debian/Ubuntu deals with updates. RHEL/Centos updates only minor versions including security patches/updates.
i.e. if you start with version x of an application, updates will maintain the x verson while minor/micro versions will be changed depending on the application. This ensures if you have your own custom application that rely on a specific compiler version, library, they will no break as long as you are on the same OS major version i.e. RHEL 5.x
While in the others, packages are update accross version and might lead to a custom application to break i.e. it loads a shared library where the function it needs has been deprecated/eliminated/repl
Which would require a recode/recompilation to get the application working again.
ASKER
Thanks for all the feedback.
I've created a new question about ubuntu vs centos to keep things clear:
https://www.experts-exchange.com/questions/27522538/Centos-6-or-Ubuntu-10-04-LTS-server-and-desktop.html
I've created a new question about ubuntu vs centos to keep things clear:
https://www.experts-exchange.com/questions/27522538/Centos-6-or-Ubuntu-10-04-LTS-server-and-desktop.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ufw is an interface/font end to iptables are the underlying firewall.
http://packages.debian.org/sid/ufw
I've not used UFW, but lets say you have an option there say create port forward 80 to web
the result is
iptables -I INPUT 3 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I FORWARD 3 -p tcp -m tcp --dport 80 -j ACCEPT
etc.
http://packages.debian.org/sid/ufw
I've not used UFW, but lets say you have an option there say create port forward 80 to web
the result is
iptables -I INPUT 3 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I FORWARD 3 -p tcp -m tcp --dport 80 -j ACCEPT
etc.
ASKER
I'm dividing the points to close this question. Thanks for all the feedback, although I didn't use it as I moved to Debian and now use ufw as a front-end to iptables.
ASKER
Open in new window