Results 1 to 14 of 14
  1. #1
    Join Date
    Dec 2001
    Posts
    518

    How to find IPtables (I can't restart iptables without a reboot)

    I've inherited a Fedora Core 3 machine that acts as our firewall. I simply edit:
    /etc/iptables/filter.sh
    or
    /etc/iptables/nat.sh
    and put in any rules I'd like to change.

    The problem is that typing:
    service iptables restart

    doesn't really do anything. Service iptables anything then service iptables status returns that Iptables is stopped.

    My guess is that there are a couple copies of iptables on the box, and it's an alternative one thats running. Any ideas on how to track down the location of the iptables that are running, to that I can restart the service without doing a reboot?

    more info:

    [root@FWLHQ001 ~]# whereis iptables
    iptables: /sbin/iptables /etc/iptables /lib/iptables /usr/share/man/man8/iptables.8.gz
    Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?

  2. #2
    you would need to setup a shell script to turn it on and off like the one below

    Code:
    #!/bin/bash 
    # Control IPTABLE rules 
    
    # path to iptable 
    IPTABLE_PATH=/bin 
    
    # set interface 
    IFACE=eth0 
    
    # End of configuration 
    
    
    test -x $SNORT_PATH/snort || exit 0 
    
    case "$1" in 
         start) 
       # insert IPTABLE rules here 
            iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT 
            iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT 
       ;; 
    
         stop) 
            # flush IPTABLE rules here 
            iptables -P INPUT DROP 
            iptables -P FORWARD DROP 
            iptables -P OUTPUT DROP 
       ;; 
         restart) 
            # flush IPTABLE rule 
            # Reset IPTABLE rules 
            iptables -P INPUT DROP 
            iptables -P FORWARD DROP 
            iptables -P OUTPUT DROP 
            iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT 
            iptables -A OUTPUT -s 192.168.0.0/24 -j ACCEPT                
       ;; 
         *) 
       echo 'you can only use start - stop - restart with this script' 
       exit 1 
       ;; 
    esac 
    exit 0 
    ;;
    name it iptables or something similiar.
    and then you can /etc/inint.d/rc.3/iptables stop

  3. #3
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Someone has beat me too responding,

    Put the above script in /etc/init.d/iptables , however if you already have one(because you said it is showing stopped), paste that one.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  4. #4
    Join Date
    Dec 2001
    Posts
    518
    I guess I'm really trying to learn how this server is setup (reinventing the wheel...). Iptables is running, because we are getting routed around and whatnot. If I type "service iptables status" i get "Firewall is stopped."

    So I guess iptables is not really running as a service. Do you think it's being loaded by some startup script?
    Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?

  5. #5
    Join Date
    Dec 2001
    Posts
    518
    fyi, i do have a /etc/init.d/iptables file
    Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?

  6. #6
    Join Date
    Dec 2001
    Posts
    518
    Here's a copy of my /etc/init.d/iptables file

    Code:
    #!/bin/sh
    #
    # iptables      Start iptables firewall
    #
    # chkconfig: 2345 08 92
    # description:  Starts, stops and saves iptables firewall
    #
    # config: /etc/sysconfig/iptables
    # config: /etc/sysconfig/iptables-config
    
    # Source function library.
    . /etc/init.d/functions
    
    IPTABLES=iptables
    IPTABLES_DATA=/etc/sysconfig/$IPTABLES
    IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
    IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
    PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
    VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
    
    if [ ! -x /sbin/$IPTABLES ]; then
        echo -n $"/sbin/$IPTABLES does not exist."; warning; echo
        exit 0
    fi
    
    if lsmod 2>/dev/null | grep -q ipchains ; then
        echo -n $"ipchains and $IPTABLES can not be used together."; warning; echo
        exit 0
    fi
    
    # Old or new modutils
    /sbin/modprobe --version 2>&1 | grep -q module-init-tools \
        && NEW_MODUTILS=1 \
        || NEW_MODUTILS=0
    
    # Default firewall configuration:
    IPTABLES_MODULES=""
    IPTABLES_MODULES_UNLOAD="yes"
    IPTABLES_SAVE_ON_STOP="no"
    IPTABLES_SAVE_ON_RESTART="no"
    IPTABLES_SAVE_COUNTER="no"
    IPTABLES_STATUS_NUMERIC="yes"
    
    # Load firewall configuration.
    [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
    
    rmmod_r() {
        # Unload module with all referring modules.
        # At first all referring modules will be unloaded, then the module itself.
        local mod=$1
        local ret=0
        local ref=
    
        # Get referring modules.
        # New modutils have another output format.
        [ $NEW_MODUTILS = 1 ] \
            && ref=`lsmod | awk "/^${mod}/ { print \\\$4; }" | tr ',' ' '` \
            || ref=`lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1`
    
        # recursive call for all referring modules
        for i in $ref; do
            rmmod_r $i
            let ret+=$?;
        done
    
        # Unload module.
        # The extra test is for 2.6: The module might have autocleaned,
        # after all referring modules are unloaded.
        if grep -q "^${mod}" /proc/modules ; then
            modprobe -r $mod > /dev/null 2>&1
            let ret+=$?;
        fi
    
        return $ret
    }
    
    flush_n_delete() {
        # Flush firewall rules and delete chains.
        [ -e "$PROC_IPTABLES_NAMES" ] || return 1
    
        # Check if firewall is configured (has tables)
        tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
        [ -z "$tables" ] && return 1
    
        echo -n $"Flushing firewall rules: "
        ret=0
        # For all tables
        for i in $tables; do
            # Flush firewall rules.
            $IPTABLES -t $i -F;
            let ret+=$?;
    
            # Delete firewall chains.
            $IPTABLES -t $i -X;
            let ret+=$?;
    
            # Set counter to zero.
            $IPTABLES -t $i -Z;
            let ret+=$?;
        done
    
        [ $ret -eq 0 ] && success || failure
        echo
        return $ret
    }
    
    set_policy() {
        # Set policy for configured tables.
        policy=$1
    
        # Check if iptable module is loaded
        [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
    
        # Check if firewall is configured (has tables)
        tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
        [ -z "$tables" ] && return 1
    
        echo -n $"Setting chains to policy $policy: "
        ret=0
        for i in $tables; do
            echo -n "$i "
            case "$i" in
                filter)
                    $IPTABLES -t filter -P INPUT $policy \
                        && $IPTABLES -t filter -P OUTPUT $policy \
                        && $IPTABLES -t filter -P FORWARD $policy \
                        || let ret+=1
                    ;;
                nat)
                    $IPTABLES -t nat -P PREROUTING $policy \
                        && $IPTABLES -t nat -P POSTROUTING $policy \
                        && $IPTABLES -t nat -P OUTPUT $policy \
                        || let ret+=1
                    ;;
                mangle)
                    $IPTABLES -t mangle -P PREROUTING $policy \
                        && $IPTABLES -t mangle -P POSTROUTING $policy \
                        && $IPTABLES -t mangle -P INPUT $policy \
                        && $IPTABLES -t mangle -P OUTPUT $policy \
                        && $IPTABLES -t mangle -P FORWARD $policy \
                        || let ret+=1
                    ;;
                *)
                    let ret+=1
                    ;;
            esac
        done
    
        [ $ret -eq 0 ] && success || failure
        echo
        return $ret
    }
    
    start() {
        # Do not start if there is no config file.
        [ -f "$IPTABLES_DATA" ] || return 1
    
        echo -n $"Applying $IPTABLES firewall rules: "
    
        OPT=
        [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
    
        $IPTABLES-restore $OPT $IPTABLES_DATA
        if [ $? -eq 0 ]; then
            success; echo
        else
            failure; echo; return 1
        fi
    
        # Load additional modules (helpers)
        if [ -n "$IPTABLES_MODULES" ]; then
            echo -n $"Loading additional $IPTABLES modules: "
            ret=0
            for mod in $IPTABLES_MODULES; do
                echo -n "$mod "
                modprobe $mod > /dev/null 2>&1
                let ret+=$?;
            done
            [ $ret -eq 0 ] && success || failure
            echo
        fi
    
        touch $VAR_SUBSYS_IPTABLES
        return $ret
    }
    
    stop() {
        # Do not stop if iptables module is not loaded.
        [ -e "$PROC_IPTABLES_NAMES" ] || return 1
    
        flush_n_delete
        set_policy ACCEPT
    
        if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
            echo -n $"Unloading $IPTABLES modules: "
            ret=0
            rmmod_r ${IPV}_tables
            let ret+=$?;
            rmmod_r ${IPV}_conntrack
            let ret+=$?;
            [ $ret -eq 0 ] && success || failure
            echo
        fi
    
        rm -f $VAR_SUBSYS_IPTABLES
        return $ret
    }
    
    save() {
        # Check if iptable module is loaded
        [ ! -e "$PROC_IPTABLES_NAMES" ] && return 1
    
        # Check if firewall is configured (has tables)
        tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
        [ -z "$tables" ] && return 1
    
        echo -n $"Saving firewall rules to $IPTABLES_DATA: "
    
        OPT=
        [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
    
        ret=0
        TMP_FILE=`/bin/mktemp -q /tmp/$IPTABLES.XXXXXX` \
            && chmod 600 "$TMP_FILE" \
            && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
            && size=`stat -c '%s' $TMP_FILE` && [ $size -gt 0 ] \
            || ret=1
        if [ $ret -eq 0 ]; then
            if [ -e $IPTABLES_DATA ]; then
                cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
                    && chmod 600 $IPTABLES_DATA.save \
                    || ret=1
            fi
            if [ $ret -eq 0 ]; then
                cp -f $TMP_FILE $IPTABLES_DATA \
                    && chmod 600 $IPTABLES_DATA \
                    || ret=1
            fi
        fi
        [ $ret -eq 0 ] && success || failure
        echo
        rm -f $TMP_FILE
        return $ret
    }
    
    status() {
        # Do not print status if lockfile is missing and iptables modules are not
        # loaded.
        # Check if iptable module is loaded
        if [ ! -f "$VAR_SUBSYS_IPTABLES" ]; then
            echo $"Firewall is stopped."
            return 1
        fi
    
        # Check if firewall is configured (has tables)
        if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
            echo $"Firewall is not configured. "
            return 1
        fi
        tables=`cat $PROC_IPTABLES_NAMES 2>/dev/null`
        if [ -z "$tables" ]; then
            echo $"Firewall is not configured. "
            return 1
        fi
    
        NUM=
        [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
    
        for table in $tables; do
            echo $"Table: $table"
            $IPTABLES -t $table --list $NUM && echo
        done
    
        return 0
    }
    
    restart() {
        [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
        stop
        start
    }
    
    case "$1" in
        start)
            stop
            start
            RETVAL=$?
            ;;
        stop)
            [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
            stop
            RETVAL=$?
            ;;
        restart)
            restart
            RETVAL=$?
            ;;
        condrestart)
            [ -e "$VAR_SUBSYS_IPTABLES" ] && restart
            ;;
        status)
            status
            RETVAL=$?
            ;;
        panic)
            flush_n_delete
            set_policy DROP
            RETVAL=$?
            ;;
        save)
            save
            RETVAL=$?
            ;;
        *)
            echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
            exit 1
            ;;
    esac
    
    exit $RETVAL
    ~
    Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?

  7. #7
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    Your init.d script is fine,

    service iptables start
    will have iptables running, however if its running and returning stopped all the time then the lock file is invalid.

    Which in this case is

    VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES

    does /var/lock/subsys/iptables exist? Have you tried reinstalling iptables?

    Just remove the rpm and install the rpm again.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  8. #8
    Join Date
    Dec 2001
    Posts
    518
    Iptables works great, so I'm hesitant to reinstall. it seems to be a custom version (I add rules to seperate xxx.sh files). I'm the new guy here, so I don't want to break something that to all users appears to be working fine.

    /var/lock/subsys/$IPTABLES Does not exist. Would a simple "touch $IPTABLES" correct this?
    Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?

  9. #9
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    no no,

    /var/lock/subsys/iptables

    However, the iptables init.d script is not needed by the looks of it, I have never really looked into it.

    I get firewall is stopped on RHEL4 when it is infact running, just looks like a problem with the init.d script which is the oringal.

    Not really sure what too say since I have never even bothered to look at this before, seems interesting though.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  10. #10
    Join Date
    Dec 2001
    Posts
    518
    on your RHEL 4, how do you restart IPtables? I assume you type

    service iptables restart

    When I do that, iptables just kind of dies, and stops routing, and from then on it says that IPtables would not start. I'm forced to reboot to get iptables up again.
    Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?

  11. #11
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    What happens when you do

    service iptables restart

    then
    iptables -L

    Does it have your rules? Do you have any rules setup to load on boot?

    What does /etc/rc.local contain?
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  12. #12
    Join Date
    Dec 2001
    Posts
    518
    we have a ton of rules, setup in filter.sh / nat.sh / arp.sh / routes.sh These are automatically loaded into iptables.

    I'll have to wait until tonight to do the service iptables restart, because it will force me to reboot the server in order to the the office online again.

    cd /etc/rc.local
    -bash: cd: /etc/rc.local: Not a directory

    Finally, since iptables is running, shouldn't I be able to see it by typing "pu -aux"? I currently can't
    Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?

  13. #13
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,681
    rc.local is a file.

    cat /etc/rc.local
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com

  14. #14
    Join Date
    Dec 2001
    Posts
    518
    cat /etc/rc.local
    #!/bin/sh
    #
    # This script will be executed *after* all the other init scripts.
    # You can put your own initialization stuff in here if you don't
    # want to do the full Sys V style init stuff.

    touch /var/lock/subsys/local
    /usr/local/samba/sbin/smbd
    Keep your customers in the know with www.KnownOutage.com - free alerting software that you host. Did I mention that it's free?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •