• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2120
  • Last Modified:

Centos6: save iptables configuration

I'm trying to setup a Centos 6 webserver. I've found a manual how to configure iptables, which ends with saving:

/sbin/service iptables save

Then I reboot the system, and all changes have disappeared. When I restart iptables, I get the following message:

iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter

How can I get this working?
root@www01 ~]# iptables -L -v
Chain INPUT (policy DROP 4 packets, 752 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            
   70  5056 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 42 packets, 5104 bytes)
 pkts bytes target     prot opt in     out     source               destination         
[root@www01 ~]# /sbin/service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

######### ##### ###### #########
######### AFTER REBOOT #########
######### ##### ###### #########

[root@www01 ~]# iptables -L -v
Chain INPUT (policy ACCEPT 53 packets, 7140 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 50 packets, 5269 bytes)
 pkts bytes target     prot opt in     out     source               destination 


######### ######## ####### #########
######### IPTABLES RESTART #########
######### ######## ####### #########

[root@www01 ~]# /sbin/service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: security raw nat[FAILED]filter 
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]

Open in new window

0
R7AF
Asked:
R7AF
  • 5
  • 5
  • 2
  • +1
4 Solutions
 
arnoldCommented:
You may have added a rule that is invalid.

Look in /etc/sysconfig/iptables

This does not seem as a default centos iptables ruleset.

But it might have changed with 6.

The centos used to have a common iptables chain in input and Forward
i.e. add a rule to the chain and it is applied equaly to both input and forward
with port 22 and 80 open.

Post your /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Dec 29 11:53:30 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [38486197:14014385040]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Dec 29 11:53:30 2011

Open in new window

0
 
R7AFAuthor Commented:
Here it is:
# Generated by iptables-save v1.4.7 on Thu Jan  5 11:20:31 2012
*security
:INPUT ACCEPT [95:6692]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [60:7960]
COMMIT
# Completed on Thu Jan  5 11:20:31 2012
# Generated by iptables-save v1.4.7 on Thu Jan  5 11:20:31 2012
*raw
:PREROUTING ACCEPT [99:7444]
:OUTPUT ACCEPT [60:7960]
COMMIT
# Completed on Thu Jan  5 11:20:31 2012
# Generated by iptables-save v1.4.7 on Thu Jan  5 11:20:31 2012
*nat
:PREROUTING ACCEPT [4:752]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [5:380]
:POSTROUTING ACCEPT [5:380]
COMMIT
# Completed on Thu Jan  5 11:20:31 2012
# Generated by iptables-save v1.4.7 on Thu Jan  5 11:20:31 2012
*mangle
:PREROUTING ACCEPT [99:7444]
:INPUT ACCEPT [99:7444]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [60:7960]
:POSTROUTING ACCEPT [60:7960]
COMMIT
# Completed on Thu Jan  5 11:20:31 2012
# Generated by iptables-save v1.4.7 on Thu Jan  5 11:20:31 2012
*filter
:INPUT DROP [4:752]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [60:7960]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Thu Jan  5 11:20:31 2012

Open in new window

0
 
Kent WSr. Network / Systems AdminCommented:
/sbin/service iptables save
at the end of your script.  If that's not working, there is some other issue.
I append that to the end of my scripts (as well as "iptables -F" to flush all rules at the beginning of the script).

I see you have it at line 14, but not sure what your actual script is doing, looks like just commands were captures and posted here.  Posting the actual script may expose the issue.
Basically, your template should be something like:
----
iptables -F

(Rules here)
iptables -L -n (for feedback on what you are about to save)
/sbin/service iptables save
----
and you should be good to go with any correct rules in-between.

Works fine on about 30 servers for me.  Make sure the "service iptables save" is as the end of the actual script...it should work also after just loading your rules and persist across reboots.  If it's still not, you have something else wrong..maybe some other fw or something stepping on it?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
arnoldCommented:
I think the issue is that you added an invalid rule that threw the whole thing into a mess.

Do not have centos 6 to check/compare the iptables to what you have.

Are you configuring your Centos 6 as a router?

The error seems to deal with raw and nat definitons.
INPUT and FORWARD are not VALID chains in NAT.
PREROUTING, POSTROUTING, and OUTPUT are the states/chains in NAT.
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables
0
 
xtermCommented:
You seem to have a bunch of extraneous rules that you don't need... just recreate /etc/sysconfig/iptables as I have it below, and it will work fine.

Let me know if there are any rules/functionality missing afterwards, and I'll show you how to add them.
# Generated by iptables-save v1.4.7 on Thu Jan  5 11:20:31 2012
*filter
:INPUT DROP [4:752]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [60:7960]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Thu Jan  5 11:20:31 2012

Open in new window

0
 
R7AFAuthor Commented:
This is a virtual machine that I've just setup, and I thought Centos would be the best choice for a server, and maybe it is, but maybe not for me. The fact is that I'm much more familiar with Ubuntu - which I've used as my desktop for about two years. I see that many things are different, not just this. So I think it's time to cut my losses and destroy this vm, and start over with an Ubuntu LTS server.
0
 
arnoldCommented:
Did you try to alter the way iptables deploy in the same way you would have done with ubuntu without the sfw installed?
I.e. did you modify /create iptables.rel and are trying to load it instead of the existing iptables rules?

What modifications did you make prior to saving it?

turn off iptables.

backup the existing /etc/sysconfig/iptables fle
remove the :INPUT from line 17 in http:#a37382302
and see if you can start iptables.

Not sure you actually need the *raw
But we can deal with that in the same manner if iptables do not start.
0
 
xtermCommented:
This is a virtual machine that I've just setup, and I thought Centos would be the best choice for a server, and maybe it is, but maybe not for me. The fact is that I'm much more familiar with Ubuntu - which I've used as my desktop for about two years. I see that many things are different, not just this. So I think it's time to cut my losses and destroy this vm, and start over with an Ubuntu LTS server.

CentOS _is_ the better choice for a server environment, and Ubuntu a far better choice for a desktop IMO.

Yes, there are differences, but honestly, the more different duckling of the two is Ubuntu.  It and Debian alone are the only two mainstream distributions which use Aptitude.  On the other hand, the RPM package management system used by CentOS is used by RHEL, Fedora, Mandrake, SuSE, etc.  I think if you stick with CentOS, you'll develop knowledge will give you a much broader base of options to choose from down the road.  But that is another discussion for perhaps another question - you're using Linux, which is the best of the best, so you can't go too far wrong - best of luck.
0
 
Kent WSr. Network / Systems AdminCommented:
I agree heavily with xterm.  Plus, you are manipulating iptables on Ubuntu with sfw.  If your goal is to learn, it's much better to learn what's actually going on rather than use a dumbed-down interface to get the job done.  Otherwise, why even move from Microsoft?  Just my humble .02.

0
 
arnoldCommented:
To compare apples to apples, dpkg is the package manager in the debian/ubuntu environment which is what rpm is.
aptitude on debian/ubuntu has yum as its equivalent in the centos/rhel etc.

use what you are comfortable with.  The major difference Centos/RHEL and Debian/Ubuntu deals with updates. RHEL/Centos updates only minor versions including security patches/updates.
i.e. if you start with version x of an application, updates will maintain the x verson while minor/micro versions will be changed depending on the application.  This ensures if you have your own custom application that rely on a specific compiler version, library, they will no break as long as you are on the same OS major version i.e. RHEL 5.x
While in the others, packages are update accross version and might lead to a custom application to break i.e. it loads a shared library where the function it needs has been deprecated/eliminated/replaced/etc.
Which would require a recode/recompilation to get the application working again.
 
0
 
R7AFAuthor Commented:
Thanks for all the feedback.

I've created a new question about ubuntu vs centos to keep things clear:
http://www.experts-exchange.com/Q_27522538.html
0
 
R7AFAuthor Commented:
As you may have seen in the other question, I've decided to move to a debian server. That means I can use UFW, which is good enough for what I need. If you think ufw is not enough, let me know. Otherwise I'll split the points.
0
 
arnoldCommented:
ufw is an interface/font end to iptables are the underlying firewall.
http://packages.debian.org/sid/ufw

I've not used UFW, but lets say you have an option there say create port forward 80 to web
the result is
iptables -I INPUT 3 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I FORWARD 3 -p tcp -m tcp --dport 80 -j ACCEPT

etc.

0
 
R7AFAuthor Commented:
I'm dividing the points to close this question. Thanks for all the feedback, although I didn't use it as I moved to Debian and now use ufw as a front-end to iptables.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 5
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now