FC6 Iptables issue

[crab_com]

ahhh ok...

[OJ287]

Guilix,

I have a smiliar problem. I do not use samba, but I run my home FC6
machine as a server. I copied /etc/sysconfig/iptables from my office FC2
machine to my home FC6 machine. That rules were installed by my sysadmin
and they allow ports 20,21,22,80 and ping. iptables starts at boot time
at my FC6 machine with no error messages, but the firewall makes my machine
invisible from the outside world. Ports 20,21,22,80 and ping
are closed. If after successfull boot I run manually

Code:

/etc/init.d/iptables stop
/etc/init.d/iptables start

then iptables re-starts correctly and ports 20,21,22,80 are opened.
What is wrong? Why when iptabkes start at boot time they do not work?
How to debug and fix this bug?

[crab_com]

Thats what i wanted to know because i did unblock the ports and everything...

lol... but i went back to FC5 backed up everything and used that as a fix
now everything is running fine

[giulix]

Unfortunately, I have only one system running FC6 and that is my gateway to the Internet, so I cannot make tests on it, like run the standard iptables configuration tool provided by Fedora. Hopefully, someone who is really knowledgeable about the inner workings of netfilter (the subsystem of the Linux kernel that provides the firewall functionality, configured by iptables) will shed some light on these issues, but she/he will need your iptables printouts. As far as I am concerned, I again advise whoever is intentioned to have a working and reliable set of rules to use one of the mainstream tools, like the ones I mentioned before. They won't be the best choices to understand the inner workings of iptables, but they work, and they work well. Personally, I use shorewall: It has served me well for the past 4 years. Contrary to firestarter, it has no graphical interface (it is supported by webmin as a standard module, though), but it is far more powerful. Anyway, for basic purposes, firestarter is an excellent choice. None of them require deep insights into iptables and may be operated with minimum effort by any sysadmin, even an untalented one as myself. What else can I say ? Try one of them or both, look at what they are capable of and make your choice..

[OJ287]

Giulix,

The problems is not that my /etc/sysconfig/iptables is wrong.
The file is correct. And it works correctly. The problem is that iptables
incorrectly starts at boot time. In order to start my iptables, I have to stop
iptables launched at boot process and re-start them again. A quick
workaround, which I think may fix crab-com's problem, is to add

Code:

/etc/init.d/iptables stop
/etc/init.d/iptables start

to the end of /etc/rc.local

As far as I understand, programs shorewall and firestarter are actually
frontends to iptables rules. They modify file /etc/sysconfig/iptables .
Do they modify start-up scripts as well?

When I started fresh FC6, I noticed that all ports were closed.
FC6 installation process put nothing in /etc/sysconfig/iptables
Is it a documented "feature": to block everything unless you disable
iptables? Or I missed something in installation process? Or at boot time
startup files uses not the rules in /etc/sysconfig/iptables but rules
defined in some other file?

Although shorewall and firestarter may be useful for a custom firewall
setup, we need to figure out how to use user-supplied /etc/sysconfig/iptables
because using specific iptables may be mandated by a corporate policy:

Quote:

Either you put the file with these iptables rules, or we will block
your ip address.

[giulix]

Quote:

Originally Posted by OJ287

As far as I understand, programs shorewall and firestarter are actually
frontends to iptables rules.

Correct.

Quote:

Originally Posted by OJ287

They modify file /etc/sysconfig/iptables .
Do they modify start-up scripts as well?

Incorrect, they are a totally separate tool from Fedora standard tool and they use their own scripts (this is true for shorewall, not sure about firestarter). That's why, if you switch to one of them, you'll have to disable standard Fedora's iptables tool entirely. Shorewall installs its own startup script in /etc/init.d. Again it's nothing to do with the standard iptables scripts: It's called shorewall.

Quote:

Originally Posted by OJ287

When I started fresh FC6, I noticed that all ports were closed.
FC6 installation process put nothing in /etc/sysconfig/iptables
Is it a documented "feature": to block everything unless you disable
iptables? Or I missed something in installation process? Or at boot time
startup files uses not the rules in /etc/sysconfig/iptables but rules
defined in some other file?

Probably done during installation process... I wouldn't know for sure

Quote:

Originally Posted by OJ287

Although shorewall and firestarter may be useful for a custom firewall
setup, we need to figure out how to use user-supplied /etc/sysconfig/iptables
because using specific iptables may be mandated by a corporate policy:

I think you missed completely my point, but then again if your policies require you to leave the standard firewall tool unaltered , you'll have to dig into the scripts which start/stop iptables to figure out exactly what's happening. Sorry I can't help more...

[crab_com]

haha nah thats fine fellas i just downgraded to FC5 as it is more stable and more reliable then FC6 atm....

lol and needed a quick fix for the iptables thanks for all your help...