Also after your explanation of how iptables-restore works, I thought the boot log might be useful.
So shortly after gathering the info shown in the previous post with no changes to services, I rebooted the system. My rules were not added and I could not connect using ssh or samba. Here is the relevant section of output from journalctl -ab containing relevant firewall startup info:
- Code: Select all
Nov 14 12:11:17 DB2-Backup systemd[1]: Starting /etc/rc.d/rc.local Compatibility...
Nov 14 12:11:17 DB2-Backup systemd[1]: Starting OpenSSH server daemon...
Nov 14 12:11:17 DB2-Backup systemd[1]: Reached target Network is Online.
Nov 14 12:11:17 DB2-Backup systemd[1]: Starting Shorewall IPv4 firewall...
Nov 14 12:11:17 DB2-Backup systemd[1]: Starting Samba SMB Daemon...
Nov 14 12:11:17 DB2-Backup ntpd[829]: Listen normally on 6 enp4s0 192.168.254.17:123
Nov 14 12:11:17 DB2-Backup ntpd[829]: new interface(s) found: waking up resolver
Nov 14 12:11:17 DB2-Backup systemd[1]: Started Permit User Sessions.
Nov 14 12:11:17 DB2-Backup systemd[1]: Started Command Scheduler.
Nov 14 12:11:17 DB2-Backup crond[1532]: (CRON) STARTUP (1.5.4)
Nov 14 12:11:17 DB2-Backup crond[1532]: (CRON) INFO (Syslog will be used instead of sendmail.)
Nov 14 12:11:17 DB2-Backup crond[1532]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 50% if used.)
Nov 14 12:11:17 DB2-Backup crond[1532]: (CRON) INFO (running with inotify support)
Nov 14 12:11:17 DB2-Backup sshd[1528]: Server listening on 0.0.0.0 port 22.
Nov 14 12:11:17 DB2-Backup sshd[1528]: Server listening on :: port 22.
Nov 14 12:11:17 DB2-Backup systemd[1]: Started OpenSSH server daemon.
Nov 14 12:11:17 DB2-Backup systemd[1]: Started /etc/rc.d/rc.local Compatibility.
Nov 14 12:11:17 DB2-Backup systemd[1]: Starting Hold until boot process finishes up...
Nov 14 12:11:17 DB2-Backup systemd[1]: Starting Terminate Plymouth Boot Screen...
Nov 14 12:11:17 DB2-Backup shorewall[1529]: Starting Shorewall....
Nov 14 12:11:17 DB2-Backup systemd[1]: Received SIGRTMIN+21 from PID 325 (plymouthd).
Nov 14 12:11:17 DB2-Backup systemd[1]: Received SIGRTMIN+21 from PID 325 (plymouthd).
Nov 14 12:11:17 DB2-Backup systemd[1]: plymouth-quit-wait.service: Succeeded.
Nov 14 12:11:17 DB2-Backup systemd[1]: Started Hold until boot process finishes up.
Nov 14 12:11:17 DB2-Backup systemd[1]: plymouth-quit.service: Succeeded.
Nov 14 12:11:17 DB2-Backup systemd[1]: Started Terminate Plymouth Boot Screen.
Nov 14 12:11:17 DB2-Backup systemd[1]: Started Getty on tty1.
Nov 14 12:11:17 DB2-Backup systemd[1]: Reached target Login Prompts.
Nov 14 12:11:17 DB2-Backup shorewall[1529]: Initializing...
Nov 14 12:11:17 DB2-Backup shorewall[1529]: Processing /etc/shorewall/init ...
Nov 14 12:11:17 DB2-Backup shorewall[1529]: Processing /etc/shorewall/tcclear ...
Nov 14 12:11:17 DB2-Backup shorewall[1529]: Setting up Route Filtering...
Nov 14 12:11:17 DB2-Backup shorewall[1529]: Setting up Martian Logging...
Nov 14 12:11:17 DB2-Backup shorewall[1529]: Setting up Proxy ARP...
Nov 14 12:11:18 DB2-Backup shorewall[1529]: Preparing iptables-restore input...
Nov 14 12:11:18 DB2-Backup shorewall[1529]: Running /sbin/iptables-restore --wait 60...
Nov 14 12:11:18 DB2-Backup shorewall[1529]: Processing /etc/shorewall/start ...
Nov 14 12:11:18 DB2-Backup kernel: netfilter PSD loaded - (c) astaro AG
Nov 14 12:11:18 DB2-Backup kernel: IFWLOG: register target
Nov 14 12:11:18 DB2-Backup shorewall[1529]: Processing /etc/shorewall/started ...
Nov 14 12:11:18 DB2-Backup root[1679]: Shorewall started
Nov 14 12:11:18 DB2-Backup shorewall[1529]: done.
Nov 14 12:11:18 DB2-Backup systemd[1]: Started Shorewall IPv4 firewall.
Nov 14 12:11:18 DB2-Backup systemd[1]: Starting Shorewall IPv6 firewall...
Nov 14 12:11:18 DB2-Backup shorewall[1683]: Starting Shorewall6....
Nov 14 12:11:18 DB2-Backup shorewall[1683]: Initializing...
Nov 14 12:11:18 DB2-Backup shorewall[1683]: Processing /etc/shorewall6/init ...
Nov 14 12:11:18 DB2-Backup shorewall[1683]: Setting up Proxy NDP...
Nov 14 12:11:18 DB2-Backup shorewall[1683]: Preparing ip6tables-restore input...
Nov 14 12:11:18 DB2-Backup shorewall[1683]: Running /sbin/ip6tables-restore --wait 60...
Nov 14 12:11:18 DB2-Backup shorewall[1683]: Processing /etc/shorewall6/start ...
Nov 14 12:11:18 DB2-Backup shorewall[1683]: Processing /etc/shorewall6/started ...
Nov 14 12:11:18 DB2-Backup root[1778]: Shorewall6 started
Nov 14 12:11:18 DB2-Backup shorewall[1683]: done.
Nov 14 12:11:18 DB2-Backup systemd[1]: Started Shorewall IPv6 firewall.
Nov 14 12:11:19 DB2-Backup systemd[1]: Started Samba SMB Daemon.
Nov 14 12:11:19 DB2-Backup systemd[1]: Reached target Multi-User System.
Nov 14 12:11:19 DB2-Backup smbd[1531]: [2019/11/14 12:11:19.040811, 0] ../../lib/util/become_daemon.c:136(daemon_ready)
Nov 14 12:11:19 DB2-Backup smbd[1531]: daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
Nov 14 12:11:19 DB2-Backup systemd[1]: Starting Update UTMP about System Runlevel Changes...
Nov 14 12:11:19 DB2-Backup systemd[1]: systemd-update-utmp-runlevel.service: Succeeded.
Nov 14 12:11:19 DB2-Backup systemd[1]: Started Update UTMP about System Runlevel Changes.
Nov 14 12:11:19 DB2-Backup systemd[1]: Startup finished in 4.488s (kernel) + 24.189s (userspace) = 28.678s.
Here is the start section from /usr/libexec/iptables.init
- Code: Select all
start() {
# don't do squat if we don't have the config file
if [ -f $IPTABLES_CONFIG ]; then
# We do _not_ need to flush/clear anything when using iptables-restore
echo $"Applying iptables firewall rules: "
grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -w 5 -c && \
success $"Applying iptables firewall rules" || \
failure $"Applying iptables firewall rules"
echo
touch /var/lock/subsys/iptables
fi
}
If I flush rules, then run basically the same command shown in /usr/libexec/iptables.init, it installs all my rules. Specifically:
- Code: Select all
# iptables -F
# grep -v "^[[:space:]]*#" /etc/sysconfig/iptables | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -w 5 -c
Now I can see my rules with iptables -L INPUT and I can connect using ssh and samba. So the basic command given in /usr/libexec/iptables.init appears to work.
But the output in the boot log says
Preparing iptables-restore input...
then
Running /sbin/iptables-restore --wait 60...
which are different than the output from /usr/libexec/iptables.init.
So it looks to me like shorewall startup is doing something different than running iptables.init. And no other iptables-restore is shown in the boot log, so perhaps /usr/libexec/iptables.init is not getting run?
Phil