iptables generation problem

[StackyFof]

Hi everyone,

I don't know if I am in the good section and could you please move my topic in the good one.

I am working on a HG dedicated server with centos. I had to remove a iptables rule in order to let my zabbix agent works but at every reboot, all of my basic iptables rules are regenerate again and I loose my custom iptables rules.

In fact, I have modified /etc/sysconfig/iptables in order to have my custom iptables rules on every reboot. It works fine when I restart iptables : /etc/init.d/iptables restart. It loads my custom rules properly (/etc/sysconfig/iptables) but it does not work when I reboot. I think /etc/sysconfig/iptables is regenerate cause by some other services ?

Actually, let see my /etc/sysconfig/iptables header before reboot :

Quote:

# Generated by iptables-save v1.3.5 on Mon Feb 7 03:59:15 2011

After reboot :

Quote:

# Generated by iptables-save v1.3.5 on Mon Feb 7 04:04:05 2011

I am anticipating some question, enclose my /etc/iptables-config :

Quote:

# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""

# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"

# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"

# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
# Value: yes|no, default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
# Value: yes|no, default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"

I think there are some other programs which regenerate my /etc/sysconfig/iptables with the command iptables-save. We know that iptables-save saves all of the currents iptables rules but where does it come from ?

What do you think about ?

Best regards.

[GatorDavid]

Is it the default HG dedicated server setup? We have a script that is installed (/usr/sbin/firewall) that makes some iptables administration easier. If you add your rule to /etc/firewall/INCLUDE, it should work on reboot.

[StackyFof]

Quote:

Originally Posted by GatorDavid

Is it the default HG dedicated server setup? We have a script that is installed (/usr/sbin/firewall) that makes some iptables administration easier. If you add your rule to /etc/firewall/INCLUDE, it should work on reboot.

Thank you for the quick answer.

But I would like to remove three rules and not add one. The problem is /etc/firewall contains only some iptables rules but not all of them.

In /etc/firewall/INCLUDE :

Quote:

IPTABLES=/sbin/iptables
$IPTABLES -I INPUT -m string --algo bm --string "gifimg.php" -p tcp --dport 21 -j LOG --log-level notice -m limit --limit 1/minute --log-prefix "gifimg.php attempt : "
$IPTABLES -A INPUT -m string --algo bm --string "gifimg.php" -p tcp --dport 21 -j REJECT
$IPTABLES -A OUTPUT -m string --algo kmp --string "gifimg.php" -p tcp --dport 21 -j LOG --log-level notice --log-tcp-options --log-ip-options --log-uid --log-prefix "OUTBOUND-GIFIMG : "
$IPTABLES -A OUTPUT -m string --algo kmp --string "gifimg.php" -p tcp --dport 21 -j DROP

I think there is an extreme solution which is to modify /etc/init.d/firewall in order to start iptables like I want to. Do you have any better solution ?

BR.