Comments 9 Posted In Red Hat Enterprise Linux Iptables - RHEL 7 Latest response 2021-06-10T15:00:41+00:00 Iptables after restart , restores the default rules ... RHEL 7 Need help. EC Started 2020-06-06T15:30:23+00:00 by ETG Cloudsupport Newbie 15 points Log in to join the conversation Responses Sort By Oldest Sort By Newest MW Active Contributor Community Member 95 points 6 June 2020 8:29 PM Martin Whitfield You could try using the permanent argument to firewall-cmd to ensure the change remains after a reboot ie firewall-cmd --zone=publicweb --add-service=ssh --permanent EC Newbie 15 points 7 June 2020 4:44 AM ETG Cloudsupport Hi Martin, I have removed firewalld package from the system, i want to use iptables. even after flushing the rule, when the system is restarted it again restores the default rules. Which i dont want. Red Hat Guru 10559 points 7 June 2020 5:43 AM Jamie Bainbridge Once you get the firewall into the state you want, have you saved the rules? When you run commands like iptables -A INPUT whatever that only changes the running configuration. Saving the changes to disk is a separate operation. You can service iptables save to write the running rules to the /etc/sysconfig/iptables configuration file on disk. The systemd unit and initscript are provided by the iptables-services package. This needs to be installed. EC Newbie 15 points 7 June 2020 2:04 PM ETG Cloudsupport Hi Jamie, After flushing the default rule then i added port 80 accept rule, when i restarted the system. It is again showing me the default rule with the rule of port 80 which i added. I don't want to use default rules... need your help pls MW Active Contributor Community Member 95 points 7 June 2020 2:34 PM Martin Whitfield What is the contents of /etc/sysconfig/iptables and output of iptables -L CT Newbie 15 points 9 June 2021 12:59 PM Charles Toman i added my rules to /etc/iptables.d and did a service iptables restart, however i do not see my rules.. [root@proderpdb01 iptables.d]# more pro2boxes.ipset.data New Pro2 ipset add pro2boxes 10.154.102.65 [root@proderpdb01 iptables.d]# more pro2boxes.iptables.data !/bin/bash iptables -A INPUT -p tcp -m set --match-set pro2boxes src --dport 22 -j ACCEPT Guru 2154 points 9 June 2021 10:37 PM Dusan Baljevic Good morning Charles, Let me try to help. I am sorry for being a little bit verbose. My background is electronics/telecommunications engineering, so I tend to look at problems very carefully. a) Firstly, please refer to this knowledge article on Red Hat website. It explains why /etc/iptables.d directory structure is not supported: https://access.redhat.com/solutions/4097681 b) Now, back to your solution. Here is the recipe that certainly works: 1. Create ipset with IP addresses you desire: # ipset create pro2boxes hash:ip # ipset list Name: pro2boxes Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 120 References: 0 Number of entries: 0 Members: # ipset add pro2boxes 192.168.77.99 # ipset add pro2boxes 172.16.0.44 # ipset list Name: pro2boxes Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 216 References: 1 Number of entries: 2 Members: 172.16.0.44 192.168.77.99 2. Add your rule in /etc/sysconfig/iptables: # cat /etc/sysconfig/iptables # sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m set --match-set pro2boxes src --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT 3. Assuming firewalld is disabled, restart iptables and check: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere match-set pro2boxes src tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Best wishes, Dusan Baljevic (amateur radio VK2COT) CT Newbie 15 points 10 June 2021 2:33 PM Charles Toman Thank you ! I still cannot connect from my Windows Server to Linux box I renamed the rule to pro2box I loaded the rules, and restarted service iptables restart Name: pro2box Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 440 References: 2 Number of entries: 1 Members: 10.30.15.15 -A INPUT -p tcp -m set --match-set pro2box src -m tcp --dport 51000:53000 -m sta te --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m set --match-set pro2box src -m tcp --sport 51000:53000 -m st ate --state ESTABLISHED -j ACCEPT CT Newbie 15 points 10 June 2021 3:00 PM Charles Toman My bad, i had the wrong IP address, sorry . I 'm connecting now! YA!