Unable to flush the iptable rules. The rules are restoring automatically after few seconds.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (All versions)
  • iptables

Issue

  • Unable to flush the iptable rules after performing the below command:
iptables -F
iptables -X
service iptables save
  • Rules are restored automatically after a few seconds.

Resolution

  • Perform the below commands to stop the services for the packages illumio and TaniumClient.
systemctl stop illumio-ven.service 
systemctl stop taniumclient.service
  • After the above change, flush the ruleset again, and monitor the system to confirm that rules are not loaded automatically anymore.If this is not resolved, please reach out to the vendor who provided the packages.

Root Cause

  • The packages illumio-ven and taniumclient can act as firewall managers and are known for loading firewall rules on their own.

  • The illumio-ven is the one loading these rules automatically, the TaniumClient has the capability. Hence after every reboot, the rules will get restored.

Diagnostic Steps

  • Check the prefix of the chains created (ILO-*)
iptables -vnxL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
  161656 11227114 ILO-FILTER-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ILO-FILTER-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
  1 60 ILO-FILTER-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ILO-FILTER-ACCEPT (13 references)
    pkts      bytes target     prot opt in     out     source               destination         
   15102  1015648 NFLOG      all  --  *      *       0.0.0.0/0            0.0.0.0/0            nflog-prefix  "ilo 13000040 6d933a81-2bd3-4335-a8c3-b9a771ba5d66" nflog-threshold 1
   15102  1015648 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments