Iptables - RHEL 7

Latest response

Iptables after restart , restores the default rules ... RHEL 7

Need help.

Responses

You could try using the permanent argument to firewall-cmd to ensure the change remains after a reboot ie firewall-cmd --zone=publicweb --add-service=ssh --permanent

Hi Martin, I have removed firewalld package from the system, i want to use iptables. even after flushing the rule, when the system is restarted it again restores the default rules. Which i dont want.

Once you get the firewall into the state you want, have you saved the rules?

When you run commands like iptables -A INPUT whatever that only changes the running configuration. Saving the changes to disk is a separate operation.

You can service iptables save to write the running rules to the /etc/sysconfig/iptables configuration file on disk.

The systemd unit and initscript are provided by the iptables-services package. This needs to be installed.

Hi Jamie, After flushing the default rule then i added port 80 accept rule, when i restarted the system. It is again showing me the default rule with the rule of port 80 which i added.

I don't want to use default rules... need your help pls

What is the contents of /etc/sysconfig/iptables
and output of
iptables -L

i added my rules to /etc/iptables.d and did a service iptables restart, however i do not see my rules.. [root@proderpdb01 iptables.d]# more pro2boxes.ipset.data

New Pro2

ipset add pro2boxes 10.154.102.65 [root@proderpdb01 iptables.d]# more pro2boxes.iptables.data

!/bin/bash

iptables -A INPUT -p tcp -m set --match-set pro2boxes src --dport 22 -j ACCEPT

Good morning Charles,

Let me try to help. I am sorry for being a little bit verbose. My background is electronics/telecommunications engineering, so I tend to look at problems very carefully.

a) Firstly, please refer to this knowledge article on Red Hat website. It explains why /etc/iptables.d directory structure is not supported:

https://access.redhat.com/solutions/4097681

b) Now, back to your solution. Here is the recipe that certainly works:

1. Create ipset with IP addresses you desire:

# ipset create pro2boxes hash:ip

# ipset list
Name: pro2boxes
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 120
References: 0
Number of entries: 0
Members:

# ipset add pro2boxes 192.168.77.99

# ipset add pro2boxes 172.16.0.44

# ipset list
Name: pro2boxes
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 216
References: 1
Number of entries: 2
Members:
172.16.0.44
192.168.77.99

2. Add your rule in /etc/sysconfig/iptables:

# cat /etc/sysconfig/iptables
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m set --match-set pro2boxes src --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

3. Assuming firewalld is disabled, restart iptables and check:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             match-set pro2boxes src tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

Best wishes,

Dusan Baljevic (amateur radio VK2COT)

Thank you ! I still cannot connect from my Windows Server to Linux box I renamed the rule to pro2box I loaded the rules, and restarted service iptables restart

Name: pro2box Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 440 References: 2 Number of entries: 1 Members: 10.30.15.15 -A INPUT -p tcp -m set --match-set pro2box src -m tcp --dport 51000:53000 -m sta te --state NEW,ESTABLISHED -j ACCEPT

-A OUTPUT -p tcp -m set --match-set pro2box src -m tcp --sport 51000:53000 -m st ate --state ESTABLISHED -j ACCEPT

My bad, i had the wrong IP address, sorry . I 'm connecting now! YA!