iptables rules not reloading on CentOS 6.x

centos iptables firewall reboot ipset

27,195

Solution 1

You lost rules because:

After adding rules you have to do save before restart service or server. because when you add rule, they are in memory but after saving they will save in file and restore from that file at start-up.

So first You need to save added rules using:

$ /etc/init.d/iptables save

This will save all rules in /etc/sysconfig/iptables, then just enable the iptables service at start-up using:

$ chkconfig --level 53 iptables on

Method 2

To save rules:

$ /sbin/iptables-save  > /etc/iptables.rules

To restore rules [ Add Below entry in /etc/rc.local ]:

$ /sbin/iptables-restore < /etc/iptables.rule

Solution 2

I've had the same problem.

You have created a set with ipset called "blocking", however, I don't see where this set gets saved so you'd have to recreate it after ever reboot in a script I guess?

Solution 3

Just noticed the same issue on Centos 6.4.

I've just put @reboot /etc/init.d/iptables restart in the crontab and it works.

27,195

Duck

Updated on September 18, 2022

Comments

Duck over 1 year
I have one single ipset added to my iptables on a CentOS 6.x box and this rule is lost when the machine reboots.

I've found this answer showing how to make a Ubuntu system reload the iptables rules after a reboot but this directory is not present on CentOS.

How do I make this CentOS box load the firewall rules after a reboot?

NOTE: Yes, I'm saving the rules using iptables save and the file is being saved.

This is what is inside /etc/sysconfig/iptables:
```
# Generated by iptables-save v1.4.7 on Mon Apr  8 09:52:59 2013
*filter
:INPUT ACCEPT [2713:308071]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1649:1766437]
-A INPUT -p tcp -m multiport --dports 25,587,465,110,143,993,995 -m state --state INVALID,NEW,RELATED,ESTABLISHED -m set
 --match-set blocking src -j DROP 
COMMIT
# Completed on Mon Apr  8 09:52:59 2013
```
the command shows -A INPUT but when I created it I have used -I INPUT.

The rule used to create this was:
```
iptables -I INPUT -p tcp -m multiport --dports 25,587,465,110,143,993,995 -m state --state NEW,ESTABLISHED,RELATED,INVALID -m set --set blocking src -j DROP
```
- rjt over 9 years
  
  @Christopher, sounds similar to /etc/sysconfig/network-scripts/rule-* files. Does this ipset file contain definitions of ipset data structures or actual iptables rules? Example?
Duck about 11 years

I did that and iptables loads when the system starts, but it loads empty.
Rahul Patil about 11 years

have you checked /etc/sysconfig/iptables file ?
Rahul Patil about 11 years

after adding rule just do save which I mention above , then it will restore at start-up using /etc/sysconfig/iptables file
Duck about 11 years

Yes, the file is saved correctly. This is something weird I discovered now: when I do service iptables save I see a message telling me that the rules were saved to /etc/sysconfig/iptables but when I do your command /etc/init.d/iptables save the message tells me that the rules were saved to /etc/sysconfig/ipt. In other words, saved to a different file... why is that?
Rahul Patil about 11 years

both are same service iptables save both refer same init file i.e /etc/init.d/iptables
Duck about 11 years

so, we are back to square 1. The file is saved correctly but when the system starts iptables is loaded empty.
Rahul Patil about 11 years

After adding rules you have to do save before restart service or server. because when you add rule, they are in memory but after saving they will save in file and restore from that file at start-up\
Duck about 11 years

yes, I know that. The rules are there saved to /etc/sysconfig/iptables but they are not being loaded.
Rahul Patil about 11 years

check rule are added or not using iptables -L -n -v
Duck about 11 years

I have added more information to the question.
Rahul Patil about 11 years

@DigitalRobot I have added another method for the same, also check iptables service is enable at startup using chkconfig --list | grep iptables and also check errors in logs
Duck about 11 years

I have tried your methods. No change. iptables starts but does not load the rules. Apparently /etc/rc.local is not running either. What logs should I check for errors?
Rahul Patil about 11 years

give me output of chkconfig --list | grep iptables
Rahul Patil about 11 years

if issue not solve , then disable SElinux and check it again , refer this link for disable SElinux ehowstuff.com/how-to-check-and-disable-selinux-on-centos-6-3
Duck about 11 years

iptables 0:no 1:no 2:yes 3:yes 4:yes 5:yes 6:no and SELinux status: disabled
Rahul Patil about 11 years

seems fine with rule level, have you disabled SElinux and checked ? , you must reboot system after disable SElinux
Duck about 11 years

SELinux status: disabled I have not disabled it. It was already disabled.
Rahul Patil about 11 years

Sorry for late reply , Is your issue solve ? if not just let me know your Rule is restored or not using /sbin/iptables-restore < /etc/iptables.rule
Duck about 11 years

nope. The rules are not reloaded after boot. I solved that temporarily by created a crontab that runs a bash script that tests if there are any rules loaded and loads them in not. It is a lame solution, but it is working until I discover a real solution. Thanks.
Rahul Patil about 11 years

@DigitalRobot Recently I uninstall CentOs6 and Install CentOs5.9 for better stability , and avoid new issues[I wast 1 hour for mysql password recovery because of CentOs6, I think 6 series not ready for production]
Duck about 11 years

This is the only problem with 6 I had so far. I will keep an eye.
rjt over 9 years

The file is clearly already saved as proven in the question itself "This is what is inside /etc/sysconfig/iptables" , the problem is with ipset. When iptables restores from a file but that file contains unknown ipset sets, no iptables are restored at all.