7

I have one single ipset added to my iptables on a CentOS 6.x box and this rule is lost when the machine reboots.

I've found this answer showing how to make a Ubuntu system reload the iptables rules after a reboot but this directory is not present on CentOS.

How do I make this CentOS box load the firewall rules after a reboot?

NOTE: Yes, I'm saving the rules using iptables save and the file is being saved.

This is what is inside /etc/sysconfig/iptables:

# Generated by iptables-save v1.4.7 on Mon Apr 8 09:52:59 2013 *filter :INPUT ACCEPT [2713:308071] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1649:1766437] -A INPUT -p tcp -m multiport --dports 25,587,465,110,143,993,995 -m state --state INVALID,NEW,RELATED,ESTABLISHED -m set --match-set blocking src -j DROP COMMIT # Completed on Mon Apr 8 09:52:59 2013

the command shows -A INPUT but when I created it I have used -I INPUT.

The rule used to create this was:

iptables -I INPUT -p tcp -m multiport --dports 25,587,465,110,143,993,995 -m state --state NEW,ESTABLISHED,RELATED,INVALID -m set --set blocking src -j DROP
Improve this question
1
  • @Christopher, sounds similar to /etc/sysconfig/network-scripts/rule-* files. Does this ipset file contain definitions of ipset data structures or actual iptables rules? Example? Commented Aug 12, 2014 at 13:39

4 Answers 4

Reset to default
2

You lost rules because:

After adding rules you have to do save before restart service or server. because when you add rule, they are in memory but after saving they will save in file and restore from that file at start-up.

So first You need to save added rules using:

$ /etc/init.d/iptables save

This will save all rules in /etc/sysconfig/iptables, then just enable the iptables service at start-up using:

$ chkconfig --level 53 iptables on

Method 2

To save rules:

$ /sbin/iptables-save > /etc/iptables.rules

To restore rules [ Add Below entry in /etc/rc.local ]:

$ /sbin/iptables-restore < /etc/iptables.rule
Improve this answer
23
  • 1
    I did that and iptables loads when the system starts, but it loads empty. Commented Apr 8, 2013 at 8:52
  • have you checked /etc/sysconfig/iptables file ? Commented Apr 8, 2013 at 8:53
  • after adding rule just do save which I mention above , then it will restore at start-up using /etc/sysconfig/iptables file Commented Apr 8, 2013 at 8:54
  • Yes, the file is saved correctly. This is something weird I discovered now: when I do service iptables save I see a message telling me that the rules were saved to /etc/sysconfig/iptables but when I do your command /etc/init.d/iptables save the message tells me that the rules were saved to /etc/sysconfig/ipt. In other words, saved to a different file... why is that? Commented Apr 8, 2013 at 8:55
  • 1
    nope. The rules are not reloaded after boot. I solved that temporarily by created a crontab that runs a bash script that tests if there are any rules loaded and loads them in not. It is a lame solution, but it is working until I discover a real solution. Thanks. Commented Apr 10, 2013 at 6:10
2

I've had the same problem.

You have created a set with ipset called "blocking", however, I don't see where this set gets saved so you'd have to recreate it after ever reboot in a script I guess?

Improve this answer
1

Just noticed the same issue on Centos 6.4.

I've just put @reboot /etc/init.d/iptables restart in the crontab and it works.

Improve this answer
0

I sent an email to Host Gator and I finally got a response from a Linux Administrator at Host Gator:

Hello there!

HostGator has built a custom firewall that's in place by default on all VPS and dedicated server plans.

Luckliy, there is a file in the firewall configuration that is meant to persist iptables configurations.

The file is this: /etc/firewall/INCLUDE

Just add your iptables lines to that file, and restart the firewall with service firewall restart. The iptables rules will persist.

Actually, I've gone ahead and added those lines to the file, so your iptables rules should load and persist now.

Please don't hesitate to follow up if you have any more questions or concerns

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.