( /etc/sysconfig/iptables ) "Manual customization of this file is not recommended." Why?
Solution 1
Because the tool called system-config-firewall
(or it´s ncurses based brother system-config-firewall-tui
) manages this file. Every time you use this tool to create new iptables rules, it will overwrite /etc/sysconfig/iptables
.
Related Manpage: 28.1.16. /etc/sysconfig/iptables-config
This is why it's not recommended, but not prohibited. The best way to save your rules using CentOS or any other EL version 6 is using the iptables service after your add some rules on memory:
# service iptables save
Related question: Why iptables does not fetch information from /etc/sysconfig/iptables on centOs?
Reasons to not edit this file(/etc/sysconfig/iptables
) directly:
- Because it is an auto-generated file. The contents of it comes from the script/daemon
/etc/init.d/iptables
. - Some actions like resetting or stopping the iptables daemon may result on data loss, since it will overwrite the file. Interesting variables on this subject:
IPTABLES_SAVE_ON_STOP=""
andIPTABLES_SAVE_ON_RESTART=""
inside the/etc/sysconfig/iptables-config
file. Maybe, tuning those will make your changes inside/etc/init.d/iptables
persistent. - Because the documentation said so.Red Hat advises that this is the best method to use their firewall infrastructure.
An alternative solution to this "overwrite my firewall rules" mindf*** is to totally disable those scripts and rely on a customized method of managing the firewall, like the one exposed by goldilocks.
Solution 2
and yet on the very top of the file it says..
Hmmm, that's strange. At the top of mine it says:
# Manual customization of this file is strongly encouraged.
Someone must have changed it ;) And in fact even moved it out of /etc/sysconfig
so it would not get "auto uncustomized" by the package manager or anything else ;) ;)
I think the point here in general with such config files is if you don't know what you are doing, don't do it. Sometimes there is also the warning that the file does get overwritten by the system occasionally. This could be by the package manager on upgrades -- although sometimes the PM will note a file has been changed manually and not overwrite it, or save a copy, etc -- and it could be some other tool that is responsible for this configuration in particular (see nwildner's answer).
Part of "knowing what you are doing" is to be aware of angles like this. I also customized the init service for iptables to use a different location for the config file, and most importantly: I'm the only one that uses this computer.
Presuming there are other people with root access, I would not do this on a server I'm responsible for unless there was a better reason than "I prefer it this way", because it will likely lead to confusion and give someone else a headache at some point. But if you are the only user and no one else depends on the system, then you are free to do what you want. My "preferred method" for configuring the firewall looks like this:
#!/bin/bash
if [[ ! -n "$IPTSET_FILE" ]]; then
IPTSET_FILE=/etc/iptables.current
fi
if [[ ! -e $IPTSET_FILE ]]; then
echo "$IPTSET_FILE does not exist!"
exit 1
fi
vim $IPTSET_FILE
iptables-restore < $IPTSET_FILE
/etc/iptables.current
is created at boot by copying /etc/iptables
(which the iptables service is configured to load initially). This way I can modify things on the fly while maintaining a reference point that the system starts from.
Which brings us to an important point, if you do want to fool around with configurations that contain this sort of warning: Always create a backup copy of the original first.
Related videos on Youtube
Gilles 'SO- stop being evil'
Updated on September 18, 2022Comments
-
Gilles 'SO- stop being evil' over 1 year
Editing this file directly
/etc/sysconfig/iptables
can save me so much headaches so much time and so on...
and yet on the very top of the file it says..
Manual customization of this file is not recommended.
here is the '/etc/sysconfig/iptables' that just came with a brand new centos 6.4 cloud server.
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
to open port 80 i can simply clone the line..
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
and then change "22" to "80" and then save this file and then reboot the whole system.
this will open port 80 for me.
this is pretty simple operation. and yet the file says manual editing is not recommended.
why should i follow the advice ?
-
Michelle almost 10 yearsThis sounds more like an argument against mix and matching editing the file directly and adding rules using the
system-config-firewall
tool. Can you expand on why it's bad to edit the file in lieu of ever using the tool?