iptables not starting on CentOS 6
Solution 1
I was facing the same problem and I found a simple way to resolve it:
-
Make sure your system has iptables's config file:
ls -l /etc/sysconfig/iptables -
In my case, I found two files in this folder:
iptables-config iptables.old You should rename iptables.old to iptables (or create a new one) because only
iptableswill be accepted.-
Try to start iptables again.
service iptables start iptables: Applying firewall rules: [ OK ]
Solution 2
I faced the same problem today. It turned out the problem was in use of a rule with a domain name used instead of IP address. I suspect the server tries to start iptables before a network connection is available. So no domain name resolution is possible and consequently iptables fails to start even though there is no problem with iptables service start when the system is up and running as the network is up and DNS lookup succeeds at that time.
The moral is:
1) Never ever use domain names instead of IP addresses in iptable rules. I knew the rule but I ignored it thoughtlessly. :-/
2) Configure and properly test fallback tables /etc/sysconfig/iptables.fallback and /etc/sysconfig/ip6tables.fallback that will be applied if the primary configuration table fail to apply (see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Firewalls-Basic_Firewall_Configuration.html). That can save your system from being opened to everyone.
Related videos on Youtube
11 : 09
06 : 28
31 : 02
01 : 53
03 : 08
user5524xx
Updated on September 18, 2022Comments
-
user5524xx over 1 year
I am running CentOS release 6.5 (Final) and cannot figure out why my iptables is not starting. I may have executed some other command to permanently prevent the start up of iptables; I do not remember. However, now I need iptables running, but cannot get it started.
Any suggestions?
[root@server1 log]# chkconfig iptables --list iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@server1 log]# service iptables status iptables: Firewall is not running. [root@server1 log]# service iptables start [root@server1 log]# service iptables status iptables: Firewall is not running.
UPDATE:
I have looked at this a bit more and did an strace on
/etc/init.d/iptables startand saw this message about no such file or directory.stat("/var/lock/subsys/iptables", 0x7ffff80481d0) = -1 ENOENT (No such file or directory)So I created this file, changed the perms and then started iptables. iptables still did not start, but I now get a message about "Firewall modules are not loaded."
This server had many security hardening changes made to it. Could this be the issue?
touch /var/lock/subsys/iptables chmod 640 /var/lock/subsys/iptables service iptables start service iptables status iptables: Firewall modules are not loaded.
UPDATE 2:
I rebooted after creating the
subsys/iptablesfile and it was no longer there. All of my other services are running fine and start/stop without any problems.
UPDATE 3:
To ensure that iptables magically cured itself I rebooted the server. However after reboot the service is NOT running anymore.
-- BEFORE I REBOOTED --
[root@server1 ~]# who -r run-level 5 2014-09-10 13:47
[root@server1 ~]# chkconfig --list iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@server1 ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Chain FORWARD (policy ACCEPT) num target prot opt source destination
Chain OUTPUT (policy ACCEPT) num target prot opt source destination
[root@server1 ~]# shutdown -r now
-- AFTER I REBOOTED --
[root@server1 ~]# service iptables status iptables: Firewall is not running.
[root@server1 ~]# chkconfig --list iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
-
NuTTyX over 9 years
/var/lock/...files would get deleted upon restart. Check if this command has some output to verify installation:rpm -V iptables -
user5524xx over 9 yearsThat command (-V) runs and returns NO output. Still cannot get yum info to work due to network.
-
NuTTyX over 9 yearsOK, having no output is what it should be. Is your machine a VPS or similar? Could you try to run
iptables -Vandiptables -nvLand check if it shows some kind of error? -
user5524xx over 9 yearsThis is so strange.. I came in this morning and saw your comment. Now it seems iptables is running. When I left yesterday it was not running. I came in this morning it was. No one has access to this machine. [root@server1 ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
-
user5524xx over 9 yearsturns out i turned the basic firwall (gui interface) off and this prevents iptables from starting. I always thought the two were disjoint?
-
NuTTyX over 9 yearsgui interface should not prevent iptables from starting... Mainly because gui interface is only invoked when editing rules.
-
-
Steve C over 8 yearsYour diagnosis was spot on in my situation too. It was driving me batty until I saw your answer. Thanks
