how to save iptables rules permanently?

1

I want to keep some iptables rules permanence, so I just only add the rules manually:

/sbin/iptables -I OUTPUT -p tcp --sport 80 -j QUEUE

I am sure that the command works, because I could see it after executing iptables -vnL. Unfortunately, I find it disappearing without rebooting or restarting iptables after an hour or so because I could not see it after executing iptables -vnL later on.

First of all, I am sure there is no one executing command like iptables -F. I also find one related row in /var/log/message:

Dec 18 10:10:50 zt_21_23 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team

I find this is a kernel behavior completely after Google. Someone said iptables would rebuild the rules, but he didn't tell me the triggering condition. and I check the iptables configuration file (/etc/sysconfig/iptables-config), but I could not find any configuration item that could make iptables rebuilding the rules.

I have to add the rules at set intervals by using crontab if I want to keep it permanence.

To sum up:

  1. How to stop iptables from reverting the rules I add?
  2. When will iptables rebuild its rules and what is the triggering condition?
  3. Which rule would be reloaded when iptables rebuilt and where these rules are saved?

PS. Modifying /etc/sysconfig/iptables, or using iptables-save and iptables-restore could work, but the rules still disappear after an hour or so.

I am using Linux (2.6.18-308.24.1.el5 x86_64).

Mark

Posted 2014-12-18T06:11:04.110

Reputation: 13

obviously somebody else is changing the rules. Do ypu stop iptables service, make the change and then restart each time? – mdpc – 2014-12-18T07:55:48.817

there is no one change the rules(because nobody but me know the password). and I don't restart iptables, and I don't reboot. – Mark – 2014-12-18T09:38:26.287

I think @mdpc means you should stop the service, make your changes then start the service which basically saves those changes. Maybe it has a problem saving your changes while it's running and if the service is stopped, then you can make the changes without worrying about anything currently running and conflicting. – Andrew – 2014-12-18T11:17:44.053

I have tried, but it still didn't work. I add the rules in /etc/sysconfig/iptables, reboot, restart iptables, then I found the rules existed, but it would disappear after an hour. – Mark – 2014-12-18T11:40:22.017

Answers

3

Something or someone is removing your rules or restarting the iptables service. The kernel doesn't just do that automatically. To stop it, you first need to figure out what is doing it. I'd start with checking to see if something is restarting the iptables service. To figure this out, add the following to /etc/init.d/iptables:

date >> /tmp/iptables-service.log
ps -f $PPID >> /tmp/iptables-service.log

Then after your rules "disappear" check the /tmp/iptables-service.log file to see who/what ran the iptables service script.

If you don't see a /tmp/iptables-service.log file, then something ran the /sbin/iptables command directly. To find what is running this command, rename /sbin/iptables to /sbin/iptables.real and then create the following script and save it as /sbin/iptables:

#!/bin/bash
date >> /tmp/iptables-cmd.log
ps -f $PPID >> /tmp/iptables-cmd.log
/sbin/iptables $*

Don't forget to set the script as executable: chmod a+x /sbin/iptables. Also note that your actual iptables command might actually be something like /sbin/iptables-multi-1.4.7 depending on how you have alternatives configured.

Then as before, look at the /tmp/iptables-cmd.log file to see who/what is running the command. Once you know the cause, you should be able to prevent it.

gogators

Posted 2014-12-18T06:11:04.110

Reputation: 1 183

Asked: 2014-12-18T06:11:04.110

Viewed: 1 167 times

Active: 2014-12-18T13:59:45.483