The iptables utility controls the network packet filtering code in the Linux kernel. The iptables feature is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. The post discusses the most commonly encountered issues with iptables and how to resolve them.
iptables rules do not load after a reboot
you have set and saved iptables firewall rules and they are still not loaded after a reboot. After a reboot, the iptables rules are not loaded, and instead :
– The firewall rules need to be re-defined because the new rules were not saved/applied.
– The iptables service must be restarted in order for the rules to load.
troubleshooting
1. Ensure that the service is set to start on boot
1. Verify that the service was set to start on boot :
# chkconfig iptables --list iptables 0:off 1:off 2:off 3:on 4:on 5:on 6:off
2. If iptables is off, then enable the service for runlevels 3-5
# chkconfig iptables on
2. Ensure that the rules were saved to disk
1. Verify that the new rules are saved in /etc/sysconfig/iptables.
2. If they were not saved, save the current rules after setting them by either of the two methods shown below:
a. Saving the rules through the iptables service command:
# service iptables save
b. Saving the output of the command below to the /etc/sysconfig/iptables file. You can also save the rules by manually writing them in the file.
# iptables-save
3. Ensure that the iptables modules are loaded on boot
1. Verify that the iptables module has been loaded immediately after boot.
RHEL 5 output should look something like:
# lsmod | grep tables ip_tables 55457 1 iptable_filter ip6_tables 50177 1 ip6table_filter x_tables 50505 6 ipt_REJECT,xt_state,ip_tables,ip6t_REJECT,xt_tcpudp,ip6_tables
RHEL 6 output should look something like like:
# lsmod | grep table iptable_filter 2793 1 ip_tables 17831 1 iptable_filter ip6table_filter 2889 1 ip6_tables 19458 1 ip6table_filter
2. If the module is failing to load, Remove any blacklist lines for iptables modules from the modprobe configuration.
# grep -r iptables /etc/modprobe* /etc/modprobe.d/blacklist.conf:blacklist iptables /etc/modprobe.d/blacklist.conf:blacklist ip6tables
4. Check the tables to see if they are empty or missing rules
Below is an example of a flushed or empty table:
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (0 references) target prot opt source destination
5. Verify that the rules file has not changing after a reboot
# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bkp # reboot # sdiff -s /etc/sysconfig/iptables /etc/sysconfig/iptables.bkp
6. Check to see if restarting the iptables service successfully loads the rules
Check if running ‘service iptables restart’ is required after booting and loads the tables fine.
# service iptables restart # service iptables status