What causes iptables to load every time after a reboot even when it’s completely turned off

Question : Even though iptables is turned OFF using ‘chkconfig –level 345 iptables off’, ‘service iptables status’ still displays some iptables rules after every reboot.

Answer

The Libvirtd process will add iptables rules into iptables when starting libvirtd. iptables will run when starting libvirtd, even if iptables was disabled before. These rules will not impact firewall configuration for the physical network. If xen environment is not used, these rules are not needed at all. In a non-xen environment, it is safe to turn the service libvirtd off by running:

# chkconfig --level 345 libvirtd off
# service libvirtd stop

How to prevent iptables from starting when libvirtd is started

When using Red Hat Enterprise Linux 5 with Xen kernel, the libvirtd daemon will be set to up by default. “libvirtd” is a daemon, which will run /usr/sbin/libvirtd command and follow physical network status on the server and the configuration under /etc/libvirt/qemu/network to create some iptables rules, such as:

# service iptables status

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24    

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67 
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:67 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED 
2    ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0           
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
4    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

1. Check if libvirtd Service is enabled during boot and running.

# chkconfig --list libvirtd
libvirtd        0:off   1:off   2:off   3:on    4:on    5:on    6:off

# /etc/init.d/libvirtd status
libvirtd (pid  3895) is running...

Note: The libvirtd service is responsible for starting iptables even if iptables was disable before.

2. Stop libvirtd and chkconfig it OFF to refrain it from loading iptables.

# chkconfig --level 345 libvirtd off
# service libvirtd stop

3. Reboot the host and verify.

Note: Unless you’re using xen kernel on Oracle Linux for hosting VM’s, it is safe to turn OFF libvirtd.
Note: It has been noticed that docker service also starts the iptables service.

Next Read: lvremove Command Fails With Error "LVM - Can't remove open logical volume" »

mk Command Examples
mk is a task runner tool commonly used for controlling the compilation process of executables…
mixxx Command Examples
Mixxx is a free and open-source DJ software designed for DJs of all skill levels.…
mix Command Examples
Mix is a versatile build tool designed specifically for Elixir projects. It offers a wide…
mitmproxy Command Examples
mitmproxy is an interactive HTTP proxy tool that operates as a man-in-the-middle (MITM) between a…
mitmdump Command Examples
mitmdump is a command-line tool that is part of the mitmproxy suite, which is designed…