CentOS 7 iptables not persistent after reboot

Question

I installed a minimal CentOS 7 version on a development server to virtualize some linux guests with kvm/qemu.

To use iptables instead of firewalld I install iptables-service and do:

systemctl stop firewalld
systemctl mask firewalld
systemctl enable iptables
systemctl start iptables

SELinux is disabled by editing /etc/sysconfig/selinux.

My rules for iptables are the following:

iptables -Z
iptables -F
iptables -X
iptables -t nat -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT

Now i save my settings with the following command:

iptables-save > /etc/sysconfig/iptables

My iptables-file looks:

# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*mangle
:PREROUTING ACCEPT [16736:10889078]
:INPUT ACCEPT [1063:106860]
:FORWARD ACCEPT [15679:10784186]
:OUTPUT ACCEPT [570:71275]
:POSTROUTING ACCEPT [15728:10809742]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*filter
:INPUT ACCEPT [868:81772]
:FORWARD ACCEPT [8328:7311589]
:OUTPUT ACCEPT [233:32016]
-A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Thu Aug 20 10:46:40 2015
# Generated by iptables-save v1.4.21 on Thu Aug 20 10:46:40 2015
*nat
:PREROUTING ACCEPT [1308:86998]
:INPUT ACCEPT [77:12475]
:OUTPUT ACCEPT [1:72]
:POSTROUTING ACCEPT [1228:74319]
-A POSTROUTING -o enp6s0 -j MASQUERADE
COMMIT
# Completed on Thu Aug 20 10:46:40 2015

A quick check to see if my rules are correct for now:

[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

But after rebooting the server the iptables rules looks like:

[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.0.1.0/24          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.0.1.0/24          anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

I don't understand where the other rules come from.

When calling iptables-restore -c /etc/sysconfig/iptables the expected rules are displayed.

It seems that the saved rules are not loaded at boot-time or that the "default"-rules are not flushed or whatever.

What is the problem here ??? I'm slowly getting gray hairs ...

Thanks for your quick responses :)

As mentioned above the iptables-services was installed by me:

[root@dev1 ~]# rpm -aq iptables-services
iptables-services-1.4.21-13.el7.x86_64

Enabling the service with systemctl enable iptables.service instead of using systemctl enable iptables seems to make no difference because the same service file is linked:

[root@dev1 ~]# systemctl disable iptables
rm '/etc/systemd/system/basic.target.wants/iptables.service'
[root@dev1 ~]# systemctl enable iptables.service
ln -s '/usr/lib/systemd/system/iptables.service' '/etc/systemd/system/basic.target.wants/iptables.service'

This is the content of iptables file after calling /usr/libexec/iptables/iptables.init save

[root@develcluster1 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*nat
:PREROUTING ACCEPT [351490:22546787]
:INPUT ACCEPT [15751:2400243]
:OUTPUT ACCEPT [324:21186]
:POSTROUTING ACCEPT [304860:18293418]
-A POSTROUTING -o enp6s0 -j MASQUERADE
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*filter
:INPUT ACCEPT [505048:69178501]
:FORWARD ACCEPT [55815086:22035726185]
:OUTPUT ACCEPT [325986:56595531]
-A FORWARD -i enp6s0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Fri Aug 21 14:34:04 2015
# Generated by iptables-save v1.4.21 on Fri Aug 21 14:34:04 2015
*mangle
:PREROUTING ACCEPT [109215513:66867793592]
:INPUT ACCEPT [505243:69203589]
:FORWARD ACCEPT [108710264:66798590873]
:OUTPUT ACCEPT [326323:56634790]
:POSTROUTING ACCEPT [109036066:66855179944]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Fri Aug 21 14:34:04 2015

After reboot a call to iptables -L don't show my saved rules:

[root@dev1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             10.0.1.0/24          ctstate RELATED,ESTABLISHED
ACCEPT     all  --  10.0.1.0/24          anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

Maybe I'm doing something fundamental wrong. But every thread i read do this the same way and it should work.

If you need more information please tell me.

Meanwhile, I helped me by calling a small script that i must call after each reboot.

#!/bin/sh

iptables -Z
iptables -F
iptables -X
iptables -t nat -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -A POSTROUTING -o enp6s0 -j MASQUERADE
iptables -A FORWARD -i enp6s0 -o virbr0 -j ACCEPT

iptables --flush
iptables-restore -c /etc/sysconfig/iptables

Thats not sexy but works so far. But could not be the final solution.

Have you check firewalld as it's CentOS7 ? Related link : http://serverfault.com/questions/626521/centos-7-save-iptables-settings Hope I'm not out of subject. Please Check also this answer http://stackoverflow.com/a/24827438/2522966 that's telling you to stop and mask firewalld service (`service stop|mask firewalld`) — Nico, Aug 21 '15 at 13:29

score 14 · Answer 1 · answered Aug 20 '15 at 21:09

14

i think you need to enable the service with:

systemctl enable iptables.service

and you need to run the iptables init script to save your rules like this:

/usr/libexec/iptables/iptables.init save

answered Aug 20 '15 at 21:09

Henrik Pingel

8,676
2
24
38

Gene · Answer 2 · 2015-08-20T22:12:47.337

5

Ensure you have the iptables-services package installed:

rpm -aq iptables-services

If not install it:

yum install iptables-services

You can then use the service command to control it just like with previous versions of CentOS:

service iptables save

The save, stop, start, restart commands will all work and it should load on boot.

edited Aug 20 '15 at 22:12

answered Aug 20 '15 at 21:57

Gene

3,633
19
39

i have the iptables command. but ` rpm -aq iptables-services` does not output anything. What does that mean? – Saad Masood Sep 07 '15 at 08:35
`rpm -aq` by itself will list all packages installed on a system and their version. `rpm -aq ` will print out information about the defined package if it's installed. If `rpm -aq iptables-services ` returns nothing that means the 'iptables-services' package is not installed. – Gene Sep 07 '15 at 13:49
2

If you have a question specific to CentOS 7 and AWS then you should post a whole new question, not make comments on an unrelated answer. I have no idea what packages Amazon keeps in their repositories, but I can tell you that `iptables-services` is available in the standard, base CentOS 7 repository. – Gene Sep 07 '15 at 14:47

score 1 · Answer 3 · answered Jun 05 '18 at 10:14

I got around this by adding 'service iptables stop \ iptables --flush' command appended to the bottom /etc/rc.d/rc.local

My environment was Centos 7 KVM and my issue was that libvirt would re-populate the iptables on a reboot - blocking access to my virtual machines.

score 0 · Answer 4 · edited Jul 10 '20 at 18:25

0

I had the same problem, so I got to this page.

While testing the remove and reinstall iptables solution, I notice, I already had firewalld installed (It should be disabled, but I am not sure if it was). Removing firewalld with:

yum remove firewalld

And everything goes right....

edited Jul 10 '20 at 18:25

kenlukas

2,886
2
14
25

answered Jul 10 '20 at 18:05

Jose Alvarez

1

score 0 · Answer 5 · edited Sep 05 '19 at 06:27

Try this:

systemctl stop firewalld
systemctl disable firewalld
systemctl mask --now firewalld
yum -y remove iptables-services
yum -y install iptables-services
systemctl start iptables
systemctl status iptables

echo '# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT' > /etc/sysconfig/iptables

execute your iptables rules here now

iptables-save > /etc/sysconfig/iptables
iptables-restore < /etc/sysconfig/iptables
systemctl restart iptables
systemctl restart iptables
systemctl enable iptables.service

score 0 · Answer 6 · answered Sep 05 '19 at 06:23

If I remember correctly one of the virtualization services (and you seem to be running one, judging from virbr0 interface name) was adding some firewall rules itself to accomodate configured, virtual networks and interfaces. Please have a look into this area (and libvirt-daemon is likely a good starting point).

I don't know however if the fact that it seems to overwrite your rules is a bug or a feature. RedHat seems to be pretty focused on firewalld as the firewalling solution in RHEL (and this goes directly to CentOS unchanged as well) and they may not support correct operation of their virtualization solutions with firewalld alternatives.

CentOS 7 iptables not persistent after reboot

6 Answers6