/etc/sysconfig/iptables does not load on reboot

/etc/sysconfig/iptables does not load on reboot

[David Leangen]

Hello!

On FC3, my file /etc/sysconfig/iptables is not being loaded on reboot. For
some reason, my iptables is being loaded with some kind of default values.

I thought that the file /etc/sysconfig/iptables was supposed to be loaded
via iptables-restore (and indeed this appears to be so according to the
startup script in /etc/rc.d/init.d/iptables). Is there something that I am
not understanding correctly?


Thank you!

Re: /etc/sysconfig/iptables does not load on reboot

[tahmeed]

hello David,

after u configure iptables - directly or via a script issue 

iptables-save > /etc/sysconfig/iptables

then ur conf will be saved in the mentioned file & be available while
restarting the service or reboot.

else the system will use the default conf that have been set up during
the installation of the system.
and 

"iptables-restore" :: resets the conf to the system default which
means u lost the conf u just did.

thanks.

On 7/2/05, David Leangen <dleangen@canada.com> wrote:
> 
> Hello!
> 
> On FC3, my file /etc/sysconfig/iptables is not being loaded on reboot. For
> some reason, my iptables is being loaded with some kind of default values.
> 
> I thought that the file /etc/sysconfig/iptables was supposed to be loaded
> via iptables-restore (and indeed this appears to be so according to the
> startup script in /etc/rc.d/init.d/iptables). Is there something that I am
> not understanding correctly?
> 
> 
> Thank you!
> 
> 
> 


-- 
Happy! If not now never

RE: /etc/sysconfig/iptables does not load on reboot

[David Leangen]

Dear Tahmeed,

Thank you. But that's exactly what I'm doing.

I am absolutely positive that the correct script is saved to
/etc/sysconfig/iptables. I tried with all of the following:

 - iptables-save
 - service iptables save

If I use 'iptables-restore /etc/sysconfic/iptables' after reboot, then the
correct script gets loaded (which also shows that the correct values are in
/etc/sysconfig/iptables).

My init script IS indeed getting run at system startup.


So, what I can't figure out is why the script in /etc/sysconfig/iptables is
not being loaded at system startup.


Any ideas?

Thank you!!




> -----Original Message-----
> From: tahmeed [mailto:qs.tahmeed@gmail.com]
> Sent: 2 July 2005 14:44
> To: dleangen@canada.com
> Cc: netfilter@lists.netfilter.org
> Subject: Re: /etc/sysconfig/iptables does not load on reboot
>
>
> hello David,
>
> after u configure iptables - directly or via a script issue
>
> iptables-save > /etc/sysconfig/iptables
>
> then ur conf will be saved in the mentioned file & be available while
> restarting the service or reboot.
>
> else the system will use the default conf that have been set up during
> the installation of the system.
> and
>
> "iptables-restore" :: resets the conf to the system default which
> means u lost the conf u just did.
>
> thanks.
>
> On 7/2/05, David Leangen <dleangen@canada.com> wrote:
> >
> > Hello!
> >
> > On FC3, my file /etc/sysconfig/iptables is not being loaded on
> reboot. For
> > some reason, my iptables is being loaded with some kind of
> default values.
> >
> > I thought that the file /etc/sysconfig/iptables was supposed to
> be loaded
> > via iptables-restore (and indeed this appears to be so according to the
> > startup script in /etc/rc.d/init.d/iptables). Is there
> something that I am
> > not understanding correctly?
> >
> >
> > Thank you!
> >
> >
> >
>
>
> --
> Happy! If not now never

RE: /etc/sysconfig/iptables does not load on reboot

[David Leangen]

Thanks for the follow-up!

[root@sannomiya ~]# chkconfig --list iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off


My /etc/rc.d/init.d/iptables script is the default script installed with
FC3.


Cheers,
Dave



> -----Original Message-----
> From: Alexey Toptygin [mailto:alexeyt@freeshell.org]
> Sent: 2 July 2005 15:03
> To: David Leangen
> Subject: RE: /etc/sysconfig/iptables does not load on reboot
>
>
> On Sat, 2 Jul 2005, David Leangen wrote:
>
> > If I use 'iptables-restore /etc/sysconfic/iptables' after
> reboot, then the
> > correct script gets loaded (which also shows that the correct
> values are in
> > /etc/sysconfig/iptables).
> >
> > My init script IS indeed getting run at system startup.
>
> Are you sure? What does "chkconfig --list iptables" say?
>
>  			Alexey

RE: /etc/sysconfig/iptables does not load on reboot

[David Leangen]

> Well, in that case, I have no idea. Did you check the startup logs?
> Does the system display [ OK ] on the iptables line when booting?

Yep, the system displays [ OK ] and I don't see anything of interest in the
logs. That's exactly why I can't figure this out. If at least there were
some info in the logs, that would at least point me in some direction.
Unless, of course, I'm looking in the wrong place...


Cheers,
Dave




> -----Original Message-----
> From: Alexey Toptygin [mailto:alexeyt@freeshell.org]
> Sent: 2 July 2005 15:39
> To: David Leangen
> Subject: RE: /etc/sysconfig/iptables does not load on reboot
>
>
> On Sat, 2 Jul 2005, David Leangen wrote:
>
> > [root@sannomiya ~]# chkconfig --list iptables
> > iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
> >
> > My /etc/rc.d/init.d/iptables script is the default script installed with
> > FC3.
>
> Well, in that case, I have no idea. Did you check the startup logs? Does
> the system display [ OK ] on the iptables line when booting?
>
>  			Alexey

Re: /etc/sysconfig/iptables does not load on reboot

[tahmeed]

hello,

this is what u should see if iptables starts up successfully during
reboot - at least

Jul  2 13:00:45 gizmo rc: Starting iptables:  succeeded 

and may be its due some core level probs not due to any
misconfiguration or sort of things like that. may be the problem lies
in the package.

if its possible pls download a fresh package of iptables from 

www.netfilter.org

regards........


On 7/2/05, David Leangen <dleangen@canada.com> wrote:
> 
> > Well, in that case, I have no idea. Did you check the startup logs?
> > Does the system display [ OK ] on the iptables line when booting?
> 
> Yep, the system displays [ OK ] and I don't see anything of interest in the
> logs. That's exactly why I can't figure this out. If at least there were
> some info in the logs, that would at least point me in some direction.
> Unless, of course, I'm looking in the wrong place...
> 
> 
> Cheers,
> Dave
> 
> 
> 
> 
> > -----Original Message-----
> > From: Alexey Toptygin [mailto:alexeyt@freeshell.org]
> > Sent: 2 July 2005 15:39
> > To: David Leangen
> > Subject: RE: /etc/sysconfig/iptables does not load on reboot
> >
> >
> > On Sat, 2 Jul 2005, David Leangen wrote:
> >
> > > [root@sannomiya ~]# chkconfig --list iptables
> > > iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
> > >
> > > My /etc/rc.d/init.d/iptables script is the default script installed
> with
> > > FC3.
> >
> > Well, in that case, I have no idea. Did you check the startup logs? Does
> > the system display [ OK ] on the iptables line when booting?
> >
> >  			Alexey
> 
> 
> 


-- 
Happy! If not now never

RE: /etc/sysconfig/iptables does not load on reboot

[David Leangen]

Thanks again for the follow up...

> and may be its due some core level probs not due to any
> misconfiguration or sort of things like that. may be the problem
> lies in the package.

Sounds like this may be a good guess. I installed a second FC3 system, and
I'm not having that problem at all. Everything is working just fine on the
second system, including the default iptables installation. I really can't
figure out why it works on one machine, but not the other...

I'll try a fresh install and see what happens.


Thanks again for the advice.


Cheers,
Dave



> -----Original Message-----
> From: tahmeed [mailto:qs.tahmeed@gmail.com]
> Sent: 2 July 2005 16:35
> To: dleangen@canada.com
> Cc: netfilter@lists.netfilter.org
> Subject: Re: /etc/sysconfig/iptables does not load on reboot
>
>
> hello,
>
> this is what u should see if iptables starts up successfully during
> reboot - at least
>
> Jul  2 13:00:45 gizmo rc: Starting iptables:  succeeded
>
> and may be its due some core level probs not due to any
> misconfiguration or sort of things like that. may be the problem lies
> in the package.
>
> if its possible pls download a fresh package of iptables from
>
> www.netfilter.org
>
> regards........
>
>
> On 7/2/05, David Leangen <dleangen@canada.com> wrote:
> >
> > > Well, in that case, I have no idea. Did you check the startup logs?
> > > Does the system display [ OK ] on the iptables line when booting?
> >
> > Yep, the system displays [ OK ] and I don't see anything of
> interest in the
> > logs. That's exactly why I can't figure this out. If at least there were
> > some info in the logs, that would at least point me in some direction.
> > Unless, of course, I'm looking in the wrong place...
> >
> >
> > Cheers,
> > Dave
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Alexey Toptygin [mailto:alexeyt@freeshell.org]
> > > Sent: 2 July 2005 15:39
> > > To: David Leangen
> > > Subject: RE: /etc/sysconfig/iptables does not load on reboot
> > >
> > >
> > > On Sat, 2 Jul 2005, David Leangen wrote:
> > >
> > > > [root@sannomiya ~]# chkconfig --list iptables
> > > > iptables        0:off   1:off   2:on    3:on    4:on
> 5:on    6:off
> > > >
> > > > My /etc/rc.d/init.d/iptables script is the default script installed
> > with
> > > > FC3.
> > >
> > > Well, in that case, I have no idea. Did you check the startup
> logs? Does
> > > the system display [ OK ] on the iptables line when booting?
> > >
> > >  			Alexey
> >
> >
> >
>
>
> --
> Happy! If not now never

Re: /etc/sysconfig/iptables does not load on reboot

[Navneet Choudhary]

On 7/2/05, David Leangen <dleangen@canada.com> wrote:
> 
> Thanks again for the follow up...
> 
> > and may be its due some core level probs not due to any
> > misconfiguration or sort of things like that. may be the problem
> > lies in the package.
> 
> Sounds like this may be a good guess. I installed a second FC3 system, and
> I'm not having that problem at all. Everything is working just fine on the
> second system, including the default iptables installation. I really can't
> figure out why it works on one machine, but not the other...

Hey, if want to debug further! 
Why don't you call your iptables rule via  /etc/rc.local

eg.
vi /etc/rc.local
iptables-restore < /root/firewall [Your own iptables rule set which
you wants to inforce on your system]

lets see whats happen now?

 
> I'll try a fresh install and see what happens.
> 
> 
> Thanks again for the advice.
> 
> 
> Cheers,
> Dave
> 
> 
> 
> > -----Original Message-----
> > From: tahmeed [mailto:qs.tahmeed@gmail.com]
> > Sent: 2 July 2005 16:35
> > To: dleangen@canada.com
> > Cc: netfilter@lists.netfilter.org
> > Subject: Re: /etc/sysconfig/iptables does not load on reboot
> >
> >
> > hello,
> >
> > this is what u should see if iptables starts up successfully during
> > reboot - at least
> >
> > Jul  2 13:00:45 gizmo rc: Starting iptables:  succeeded
> >
> > and may be its due some core level probs not due to any
> > misconfiguration or sort of things like that. may be the problem lies
> > in the package.
> >
> > if its possible pls download a fresh package of iptables from
> >
> > www.netfilter.org
> >
> > regards........
> >
> >
> > On 7/2/05, David Leangen <dleangen@canada.com> wrote:
> > >
> > > > Well, in that case, I have no idea. Did you check the startup logs?
> > > > Does the system display [ OK ] on the iptables line when booting?
> > >
> > > Yep, the system displays [ OK ] and I don't see anything of
> > interest in the
> > > logs. That's exactly why I can't figure this out. If at least there
> were
> > > some info in the logs, that would at least point me in some direction.
> > > Unless, of course, I'm looking in the wrong place...
> > >
> > >
> > > Cheers,
> > > Dave
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Alexey Toptygin [mailto:alexeyt@freeshell.org]
> > > > Sent: 2 July 2005 15:39
> > > > To: David Leangen
> > > > Subject: RE: /etc/sysconfig/iptables does not load on reboot
> > > >
> > > >
> > > > On Sat, 2 Jul 2005, David Leangen wrote:
> > > >
> > > > > [root@sannomiya ~]# chkconfig --list iptables
> > > > > iptables        0:off   1:off   2:on    3:on    4:on
> > 5:on    6:off
> > > > >
> > > > > My /etc/rc.d/init.d/iptables script is the default script installed
> > > with
> > > > > FC3.
> > > >
> > > > Well, in that case, I have no idea. Did you check the startup
> > logs? Does
> > > > the system display [ OK ] on the iptables line when booting?
> > > >
> > > >  			Alexey
> > >
> > >
> > >
> >
> >
> > --
> > Happy! If not now never
> 
> 
>

Re: /etc/sysconfig/iptables does not load on reboot

[/dev/rob0]

On Saturday 02 July 2005 01:43, David Leangen wrote:
> some direction. Unless, of course, I'm looking in the wrong place...

FWIW you are *asking* in the wrong place. This is an OS problem, not a 
netfilter / iptables issue.

RH/FC and such like to hide information from the user. You can add some 
shell code to your startup scripts which redirect more verbose output 
to files. In this case maybe some echo commands to show which file is 
being fed to iptables-restore.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

RE: /etc/sysconfig/iptables does not load on reboot

[David Leangen]

> Hey, if want to debug further! 
> Why don't you call your iptables rule via  /etc/rc.local

When I do:

  $ iptables-restore /etc/sysconfig/iptables

Everything is fine. It's only on system startup that it's not working.


Cheers,
Dave

RE: /etc/sysconfig/iptables does not load on reboot

[David Leangen]

Ah, good point!

Thanks!!



> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of /dev/rob0
> Sent: 2 July 2005 17:40
> To: netfilter@lists.netfilter.org
> Subject: Re: /etc/sysconfig/iptables does not load on reboot
> 
> 
> On Saturday 02 July 2005 01:43, David Leangen wrote:
> > some direction. Unless, of course, I'm looking in the wrong place...
> 
> FWIW you are *asking* in the wrong place. This is an OS problem, not a 
> netfilter / iptables issue.
> 
> RH/FC and such like to hide information from the user. You can add some 
> shell code to your startup scripts which redirect more verbose output 
> to files. In this case maybe some echo commands to show which file is 
> being fed to iptables-restore.
> -- 
>     mail to this address is discarded unless "/dev/rob0"
>     or "not-spam" is in Subject: header
> 

RE: /etc/sysconfig/iptables does not load on reboot

[David Leangen]

Hello!

> > RH/FC and such like to hide information from the user. You can add
> > some shell code to your startup scripts which redirect more verbose
> > output to files. In this case maybe some echo commands to show
> > which file is being fed to iptables-restore.

Well, I did little more digging. Although I see more and more what's going
on, I'm understanding less and less.

I have two machines on which I freshly installed FC3, in the exaclty the
same way, with minimal packages. Since I installed FC3 exactly the same way,
it should behave the same way on both systems, right? Well, not so. That's
the first point I do not understand.

On one machine ("goodhost"), everything works exactly as expected.

On the misbehaving machine, however, ("badhost"), I noticed that contrary to
what I mentioned in my previous posts, /etc/sysconfig/iptables does indeed
appear to get loaded at system startup.

However, IT DOES NOT GET LOADED THE SAME WAY!!

Why is that? Why would the same file not get loaded the same way on startup
as it does when running iptables-restore afterward? And why does it work on
one machine, but not on another with the same installation? I've tried on a
few different firewall rules files, and the same thing always seems to
happen. I even tried with the default RedHat firewall rules. The diff of
'iptables-L' between the two (firewall loaded at startup vs. firewall loaded
afterward with iptables-restore) is below.

Any ideas about this very strange situation? Any help would be most
appreciated!



< RH-Firewall-1-INPUT  all  --  anywhere             anywhere
---
> DROP       tcp  --  anywhere             anywhere            tcp
dpts:0:1023
> DROP       udp  --  anywhere             anywhere            udp
dpts:0:1023
> DROP       tcp  --  anywhere             anywhere            tcp
flags:SYN,RST,ACK/SYN
> DROP       icmp --  anywhere             anywhere            icmp
echo-request
5c8
< Chain FORWARD (policy ACCEPT)
---
> Chain FORWARD (policy DROP)
7d9
< RH-Firewall-1-INPUT  all  --  anywhere             anywhere
12c14
< Chain RH-Firewall-1-INPUT (2 references)
---
> Chain RH-Firewall-1-INPUT (0 references)

Re: /etc/sysconfig/iptables does not load on reboot

[/dev/rob0]

On Monday 04 July 2005 06:13, David Leangen wrote:
> > > add some shell code to your startup scripts which redirect more
> > > verbose output to files. In this case maybe some echo commands to
> > > show which file is being fed to iptables-restore.
>
> Well, I did little more digging. Although I see more and more what's
> going on, I'm understanding less and less.
>
> I have two machines on which I freshly installed FC3, in the exaclty
> the same way, with minimal packages. Since I installed FC3 exactly
> the same way, it should behave the same way on both systems, right?
> Well, not so. That's the first point I do not understand.

Same kernel?

> On one machine ("goodhost"), everything works exactly as expected.
>
> On the misbehaving machine, however, ("badhost"), I noticed that
> contrary to what I mentioned in my previous posts,
> /etc/sysconfig/iptables does indeed appear to get loaded at system
> startup.
>
> However, IT DOES NOT GET LOADED THE SAME WAY!!

Please define that.

> Why is that? Why would the same file not get loaded the same way on
> startup as it does when running iptables-restore afterward? And why

A custom kernel on the badhost might explain it, at least in part.

> does it work on one machine, but not on another with the same
> installation? I've tried on a few different firewall rules files, and
> the same thing always seems to happen. I even tried with the default
> RedHat firewall rules. The diff of 'iptables-L' between the two
> (firewall loaded at startup vs. firewall loaded afterward with
> iptables-restore) is below.
>
> Any ideas about this very strange situation? Any help would be most
> appreciated!

1. It's hard to glean useful information out of iptables -L, even with 
-v. It's harder when filtered through diff(1) and when we don't have 
the original iptables-restore file to see. If you want help you should 
post:
   a. The complete but uncommented iptables-restore file
   b. iptables-save(8) output after the boot, but before ..
   c. iptables-save(8) output after manual restoring.
   d. Bank and credit card account information, mother's maiden name.
   e. Debugging output as described below.
   f. What have you changed from default? Kernel? Patch-o-matic?

> < RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> ---
>
> > DROP     tcp  --  anywhere       anywhere      tcp dpts:0:1023

2. This looks like one of those useless RH default firewalls, in the 
style of ipchains. Get a real firewall script to generate your rules. 
It is a waste of time to fix this one. (But it's possible the same 
problem would exist with a better firewall.)

3. My guess is that the --protocol match extensions, tcp, udp and icmp, 
are failing to load at boot. Something which differs between your login 
environment and the environment of init(8) enables the automatic 
loading of netfilter modules.

4. Shell debugging code. Redirect both stdout and stderr of the 
iptables-restore(8) command at boot time to a file. Read the files. 
Your stderr file will probably tell you what went wrong. It wouldn't 
hurt to put in a "set > /root/init-env" too.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

RE: /etc/sysconfig/iptables does not load on reboot

[David Leangen]

Thanks for all the helpful hints!

> Same kernel?

goodhost=2.6.9-1.667smp
badhost=2.6.9-1.667

Not sure what the "smp" is.

I will try loading on badhost the version with the same kernel on goodhost
and see if that fixes the problem.


> > However, IT DOES NOT GET LOADED THE SAME WAY!!
>
> Please define that.

I just meant that the output from 'iptables -L' does not show the same
thing. The rules are correctly applied when running 'iptables-restore' later
on, but not all the rules are correctly applied at startup.


> If you want help you should post:
>    a. The complete but uncommented iptables-restore file
>    b. iptables-save(8) output after the boot, but before ..
>    c. iptables-save(8) output after manual restoring.
>    d. Bank and credit card account information, mother's maiden name.
>    e. Debugging output as described below.
>    f. What have you changed from default? Kernel? Patch-o-matic?

Now that you've helped me to realise that I'm not using the same kernel,
I'll try that first, and if the problem persits go on to all your other
helpful suggestions. My only problem is that I won't have physical access to
the server again until later this week.

Here is my credit card info:

Visa - 5515 2363 5124 1234
  exp 04/06

Mother's maiden name: Ima Galible

Just let me know if you need my social security number, too. For security
reasons, I'd rather mail that to you privately.

Thanks again!

:-)

Re: /etc/sysconfig/iptables does not load on reboot

[/dev/rob0]

On Monday 04 July 2005 09:17, David Leangen wrote:
> Thanks for all the helpful hints!
>
> > Same kernel?
>
> goodhost=2.6.9-1.667smp
> badhost=2.6.9-1.667
>
> Not sure what the "smp" is.

Probably "symmetric multi-processor", a kernel enabled for multiple 
CPU's. It could be that you have found a Fedora bug.

> I will try loading on badhost the version with the same kernel on
> goodhost and see if that fixes the problem.

If badhost only has one CPU it's wasteful to have SMP support, but as 
implied above, it could be a kernel configuration bug relating to the 
non-SMP kernel.

> Now that you've helped me to realise that I'm not using the same
> kernel, I'll try that first, and if the problem persits go on to all
> your other helpful suggestions. My only problem is that I won't have

I'm sticking to my guess. The rules which did not load (if I read it 
correctly from the diff) all used --protocol extensions.

I know little of netfilter / iptables internals. I don't know where 
those extensions load from ... [WHAM] ouch, I was just hit by an 
inspiration.

Firewall loads before mount -a; probably at that point only the root 
filesystem is mounted. If the match extensions are on /usr, we can't 
get to them. I bet badhost has a separate /usr partition and goodhost 
has /usr on the rootfs.

If so, yes, this is an OS bug. And don't just write set to a file, do 
"mount > /root/firewall-mounted-fs" too. (I hope /root isn't a symlink 
or otherwise on a different FS.)

> Mother's maiden name: Ima Galible

:)
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

RE: /etc/sysconfig/iptables does not load on reboot

[David Leangen]

> Firewall loads before mount -a; probably at that point only the
> root filesystem is mounted. If the match extensions are on /usr,
> we can't get to them. I bet badhost has a separate /usr partition
> and goodhost has /usr on the rootfs.

Well, it's true that /usr is mounted on a different partitition, but this is
the case for both goodhost and badhost.

Indeed, this is how I mounted my partitions on badhost:

Filesystem           Mounted on
/dev/hda2            /
/dev/hda1            /boot
/dev/hda8            /home
/dev/hda6            /tmp
/dev/hda3            /usr
/dev/hda7            /var

And this is goodhost:

/dev/sda2             /
/dev/sda1             /boot
/dev/sda3             /data
/dev/sda5             /home
/dev/sda8             /tmp
/dev/sda7             /usr
/dev/sda9             /var
/dev/sda10            /var/lib/pgsql


> If so, yes, this is an OS bug. And don't just write set to a file,
> do "mount > /root/firewall-mounted-fs" too. (I hope /root isn't a
> symlink or otherwise on a different FS.)

Sorry, I don't follow this last bit...

Thanks so much for helping me through this!!!

:-)

RE: /etc/sysconfig/iptables does not load on reboot

[David Leangen]

Thanks again for all the support so far...

> > Firewall loads before mount -a; probably at that point only the
> > root filesystem is mounted. If the match extensions are on /usr,
> > we can't get to them. I bet badhost has a separate /usr partition
> > and goodhost has /usr on the rootfs.

Actually, I don't believe this is the case. Also, I don't believe (no 100%
confirmation) that the kernel version makes a difference, so I doubt this is
a kernel bug, at least the way you suggested.

After a lot of playing around, I was finally able to figure out when the
problem occurs.

As long as I do not set up an ADSL connection using adsl-setup, everything
works fine. However, after having setup my connection, that's when my
firewall goes wack. The same is true whether or not the cable is actually
plugged in. This happens after having run adsl-setup.


Any ideas why setting up an ADSL connection would cause problems? Any ideas
how to work around this?


Again, thank you for all the help!!!

Dave

Re: /etc/sysconfig/iptables does not load on reboot

[curby .]

On 7/9/05, David Leangen <dleangen@canada.com> wrote:
> This happens after having run adsl-setup.

What is adsl-setup doing for you? Are you using an internal dsl modem,
or is it external/usb or external/cat5?  Especially if you use a
network cable to connect to an external DSL modem, you should be able
to configure your network card directly using ifconfig or
/etc/sysconfig thus getting rid of the need for adsl-setup at all.

That said, it would be nice to figure out why this is causing a
conflict.  Perhaps Fedora experts would understand what exactly
adsl-setup is doing, and/or why it would be conflicting with the
reload of iptables rules.

RE: /etc/sysconfig/iptables does not load on reboot

[David Leangen]

Hi! Thanks for the follow-up.

> What is adsl-setup doing for you? Are you using an internal dsl modem,
> or is it external/usb or external/cat5?  Especially if you use a
> network cable to connect to an external DSL modem, you should be able
> to configure your network card directly using ifconfig or
> /etc/sysconfig thus getting rid of the need for adsl-setup at all.

Ok, thanks! Your suggestion to look directly at the config script allowed
the solution to jump out at me. I simply never thought to look at my ppp0
device.

I looked into this further and found that the adsl-* scripts, depending on
the configuration, actually add some junk to iptables.

The file /etc/sysconfig/network-scripts/ppp0 looks something like this:

USERCTL=no
BOOTPROTO=dialup
NAME=DSLppp0
DEVICE=ppp0
TYPE=xDSL
ONBOOT=yes
PIDFILE=/var/run/pppoe-adsl.pid
FIREWALL=MASQUERADE
PING=.
PPPOE_TIMEOUT=80
LCP_FAILURE=3
LCP_INTERVAL=20
CLAMPMSS=1412
CONNECT_POLL=6
CONNECT_TIMEOUT=60
DEFROUTE=yes
SYNCHRONOUS=no
ETH=eth0
PROVIDER=DSLppp0
USER=memyselfandi@somewhere
PEERDNS=no
DEMAND=no


If the entry "FIREWALL" is anything other than "NONE", then, when the
related script (don't know which one) is invoked at runtime, it "interferes"
with the firewall by adding some extra stuff. I didn't realise this before.

Once again, by loading with 'iptables-restore /etc/sysconfig/iptables', the
extra stuff is not added. That's essentially why my firewall at boot time
and the one I really wanted were different.

Problem solved!


Thank you all so much for your help through this. :-D