Why the stopped iptables service is started again after system reboot or after running 'iptables -L' command ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (Any version)
  • iptables

Issue

  • After stopping the service, the output of service iptables status shows as stopped(Firewall is not running), but when iptables -L is run, it will show some output with contents of INPUT,FORWARD and OUTPUT chain. Also now service iptables status will show same output as that of iptables -L (instead of Firewall is not running).
[root@test ~]# iptables -L
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

[root@test ~]#
  • Why above output is shown instead of just displaying that firewall is stopped or service is not running ?
  • We could see the iptable service has been started on few topsweb servers, which were in stopped state earlier.
    Could you please help us to find out whether the service has been restarted automatically or not?

Resolution

  • This is because after stopping the iptables service, the next time when iptables -L command is run, it will load ip_tables kernel module and because of which that output is seen.
  • The output of iptables -L after stopping the iptables service shows the content of INPUT,FORWARD,OUTPUT chains with no actual rules in it OR blank rules which means no iptables rules are activated/loaded.
  • So the output seen in iptables -L after stopping the iptables service is not harmful. Only after starting the iptables service again, rules will be loaded and the activated rules will be seen in iptables -L output.

Diagnostic Steps

  • Below are the reproducer steps:
  • Stopped iptables service.
[root@test ~]# service iptables stop
iptables: Setting chains to policy ACCEPT: nat mangle filte[  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
[root@test ~]# 

[root@test ~]# service iptables status
iptables: Firewall is not running.
[root@test ~]#
  • ip_tables module is not loaded currently.
[root@test ~]# lsmod |grep ip
ip6table_filter         2889  0 
ip6_tables             18732  1 ip6table_filter
ipt_REJECT              2351  0 
ipv6                  317340  36 cnic,mac80211
[root@test ~]#
  • Now run the iptables -L command:
[root@test ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@test ~]#
  • Now ip_tables module is loaded
[root@test ~]# lsmod |grep ip
iptable_filter          2793  0 
ip_tables              17831  1 iptable_filter     <---- ip_tables module loaded.
ip6table_filter         2889  0 
ip6_tables             18732  1 ip6table_filter
ipt_REJECT              2351  0 
ipv6                  317340  36 cnic,mac80211
[root@test ~]#
  • service iptables status shows the same output as that of iptables -L (instead of its Firewall is not running).
[root@test ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

[root@test ~]#
  • Now starting iptables service again:
[root@test ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]
You have new mail in /var/spool/mail/root
[root@test ~]# 
[root@test ~]#
  • iptables -L output after starting iptables service.
[root@test ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@test ~]# 
[root@test ~]#
  • All the related modules loaded now.
[root@test ~]# lsmod |grep ip
nf_conntrack_ipv4       9506  2 
nf_defrag_ipv4          1483  1 nf_conntrack_ipv4
nf_conntrack           79758  2 nf_conntrack_ipv4,xt_state
iptable_filter          2793  1 
ip_tables              17831  1 iptable_filter
ip6table_filter         2889  0 
ip6_tables             18732  1 ip6table_filter
ipt_REJECT              2351  2 
ipv6                  317340  36 cnic,mac80211
[root@test ~]#
  • So even rules are present in system, but after stopping the iptables service they are not actually loaded when iptables -L is run. Check the difference in iptables -L output above after stopping the service and again after starting it.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments