iptables rules not reloading on CentOS 6.x
Solution 1
You lost rules because:
After adding rules you have to do save before restart service or server. because when you add rule, they are in memory but after saving they will save in file and restore from that file at start-up.
So first You need to save added rules using:
$ /etc/init.d/iptables save
This will save all rules in /etc/sysconfig/iptables
, then just enable the iptables service at start-up using:
$ chkconfig --level 53 iptables on
Method 2
To save rules:
$ /sbin/iptables-save > /etc/iptables.rules
To restore rules [ Add Below entry in /etc/rc.local
]:
$ /sbin/iptables-restore < /etc/iptables.rule
Solution 2
I've had the same problem.
You have created a set
with ipset called "blocking", however, I don't see where this set
gets saved so you'd have to recreate it after ever reboot in a script I guess?
Solution 3
Just noticed the same issue on Centos 6.4.
I've just put @reboot /etc/init.d/iptables restart
in the crontab and it works.
Related videos on Youtube
Duck
Updated on September 18, 2022Comments
-
Duck over 1 year
I have one single ipset added to my
iptables
on a CentOS 6.x box and this rule is lost when the machine reboots.I've found this answer showing how to make a Ubuntu system reload the
iptables
rules after a reboot but this directory is not present on CentOS.How do I make this CentOS box load the firewall rules after a reboot?
NOTE: Yes, I'm saving the rules using
iptables save
and the file is being saved.This is what is inside
/etc/sysconfig/iptables
:# Generated by iptables-save v1.4.7 on Mon Apr 8 09:52:59 2013 *filter :INPUT ACCEPT [2713:308071] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1649:1766437] -A INPUT -p tcp -m multiport --dports 25,587,465,110,143,993,995 -m state --state INVALID,NEW,RELATED,ESTABLISHED -m set --match-set blocking src -j DROP COMMIT # Completed on Mon Apr 8 09:52:59 2013
the command shows
-A INPUT
but when I created it I have used-I INPUT
.The rule used to create this was:
iptables -I INPUT -p tcp -m multiport --dports 25,587,465,110,143,993,995 -m state --state NEW,ESTABLISHED,RELATED,INVALID -m set --set blocking src -j DROP
-
rjt over 9 years@Christopher, sounds similar to /etc/sysconfig/network-scripts/rule-* files. Does this ipset file contain definitions of ipset data structures or actual iptables rules? Example?
-
-
Duck about 11 yearsI did that and iptables loads when the system starts, but it loads empty.
-
Rahul Patil about 11 yearshave you checked
/etc/sysconfig/iptables
file ? -
Rahul Patil about 11 yearsafter adding rule just do
save
which I mention above , then it will restore at start-up using/etc/sysconfig/iptables
file -
Duck about 11 yearsYes, the file is saved correctly. This is something weird I discovered now: when I do service iptables save I see a message telling me that the rules were saved to /etc/sysconfig/iptables but when I do your command /etc/init.d/iptables save the message tells me that the rules were saved to /etc/sysconfig/ipt. In other words, saved to a different file... why is that?
-
Rahul Patil about 11 yearsboth are same
service iptables save
both refer same init file i.e/etc/init.d/iptables
-
Duck about 11 yearsso, we are back to square 1. The file is saved correctly but when the system starts iptables is loaded empty.
-
Rahul Patil about 11 yearsAfter adding rules you have to do save before restart service or server. because when you add rule, they are in memory but after saving they will save in file and restore from that file at start-up\
-
Duck about 11 yearsyes, I know that. The rules are there saved to /etc/sysconfig/iptables but they are not being loaded.
-
Rahul Patil about 11 yearscheck rule are added or not using
iptables -L -n -v
-
Duck about 11 yearsI have added more information to the question.
-
Rahul Patil about 11 years@DigitalRobot I have added another method for the same, also check iptables service is enable at startup using
chkconfig --list | grep iptables
and also check errors in logs -
Duck about 11 yearsI have tried your methods. No change. iptables starts but does not load the rules. Apparently /etc/rc.local is not running either. What logs should I check for errors?
-
Rahul Patil about 11 yearsgive me output of
chkconfig --list | grep iptables
-
Rahul Patil about 11 yearsif issue not solve , then disable SElinux and check it again , refer this link for disable SElinux ehowstuff.com/how-to-check-and-disable-selinux-on-centos-6-3
-
Duck about 11 yearsiptables 0:no 1:no 2:yes 3:yes 4:yes 5:yes 6:no and SELinux status: disabled
-
Rahul Patil about 11 yearsseems fine with rule level, have you disabled SElinux and checked ? , you must reboot system after disable SElinux
-
Duck about 11 yearsSELinux status: disabled I have not disabled it. It was already disabled.
-
Rahul Patil about 11 yearsSorry for late reply , Is your issue solve ? if not just let me know your Rule is restored or not using
/sbin/iptables-restore < /etc/iptables.rule
-
Duck about 11 yearsnope. The rules are not reloaded after boot. I solved that temporarily by created a crontab that runs a bash script that tests if there are any rules loaded and loads them in not. It is a lame solution, but it is working until I discover a real solution. Thanks.
-
Rahul Patil about 11 years@DigitalRobot Recently I uninstall CentOs6 and Install CentOs5.9 for better stability , and avoid new issues[I wast 1 hour for mysql password recovery because of CentOs6, I think 6 series not ready for production]
-
Duck about 11 yearsThis is the only problem with 6 I had so far. I will keep an eye.
-
rjt over 9 yearsThe file is clearly already saved as proven in the question itself "This is what is inside /etc/sysconfig/iptables" , the problem is with ipset. When iptables restores from a file but that file contains unknown ipset sets, no iptables are restored at all.