Firewall Will Not Disable – Stumped!

Home » General » Firewall Will Not Disable – Stumped!
General 5 Comments

very perplexed here – I need to turn off iptables. Ive tried:

service iptables save
service iptables stop
chkconfig iptables off

service ip6tables save
service ip6tables stop
chkconfig ip6tables off

edited OPGX280 ~ # cat /etc/sysconfig/system-config-firewall
# Configuration file for system-config-firewall
–disabled
–service=ssh

OPGX280 ~ :( # cat /etc/selinux/config SELINUX=disabled

OPGX280 ~ :( # chkconfig |grep ip ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipmievd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipvsadm 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Yet – when I reboot iptables gets started – if I run

OPGX280 ~ # /etc/rc.d/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:67
4 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:67

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all — 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
2 ACCEPT all — 192.168.122.0/24 0.0.0.0/0
3 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
4 REJECT all — 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
5 REJECT all — 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable

Note –> 192.168.122.0/24 is NOT my network, I just want the status to tell me iptables is NOT running

What else can I look for??

Thanks Bob

5 thoughts on - Firewall Will Not Disable – Stumped!

  • this is very strange….

    I ran your flush command.. worked untill reboot

    I came across this article http://www.thegeekstuff.com/2011/01/redhat-iptables-flush/

    Basically tell me how to save a wide open rules file – I did this and behaved like the doc describes

    This is what I have now

    OPGX280 ~ :( # cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.4.7 on Sun Jul 7 09:14:11 2013
    *filter
    :INPUT ACCEPT [32:4712]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [40:5160]
    COMMIT
    # Completed on Sun Jul 7 09:14:11 2013

    – until I reboot then I get the same jibberish…

    OPGX280 ~ # /etc/rc.d/init.d/iptables status Table: nat Chain PREROUTING (policy ACCEPT)
    num target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    num target prot opt source destination
    1 MASQUERADE tcp — 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
    2 MASQUERADE udp — 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
    3 MASQUERADE all — 192.168.122.0/24 !192.168.122.0/24

    Chain OUTPUT (policy ACCEPT)
    num target prot opt source destination

    Table: mangle Chain PREROUTING (policy ACCEPT)
    num target prot opt source destination

    Chain INPUT (policy ACCEPT)
    num target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    num target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    num target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    num target prot opt source destination
    1 CHECKSUM udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill

    Table: filter Chain INPUT (policy ACCEPT)
    num target prot opt source destination
    1 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:53
    2 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
    3 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:67
    4 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:67

    Chain FORWARD (policy ACCEPT)
    num target prot opt source destination
    1 ACCEPT all — 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
    2 ACCEPT all — 192.168.122.0/24 0.0.0.0/0
    3 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
    4 REJECT all — 0.0.0.0/0 0.0.0.0/0
    reject-with icmp-port-unreachable
    5 REJECT all — 0.0.0.0/0 0.0.0.0/0
    reject-with icmp-port-unreachable

    Chain OUTPUT (policy ACCEPT)
    num target prot opt source destination

    I don’t understand what or why iptables is being called?

    I believe anything in /etc/rc.d/init.d/* will get run on startup. If I
    move those files out of there – obviously the command wont work – but I
    need to understand whats going on

    I want status to tell me OFF

    /etc/rc.d/init.d/iptables status

  • Am 07.07.2013 14:57, schrieb Bob Metelsky:

    Why do you have to turn off the local firewall?

    Bad practice.

    That’s a VMware (ESXi or such) based virtual machine, right?
    192.168.122.0/24 is the default VMware NAT network assignment. It comes from the VMware tools. These tools take care that a NAT network setup will work.

    Alexander

    P.S. If you reply then please follow the general rule to not top-post and to trim your quotes. Thanks.

  • This could be the default network from libvirt. The kvm host does NAT from that network if the guest is configured to use it. You can undefine it with some virsh foo

    $ virsh net-destroy default
    $ virsh net-undefine default

  • I appreciate the admonitions on bad practices – but for now I need to understand why something is happening and stop it

    OPGX280 ~ # yum remove virt*

    =============================================================================== Package Arch Version Repository Size
    ===============================================================================Removing:
    virt-manager i686 0.9.0-18.el6 @base
    5.4 M
    virt-top i686 1.0.4-3.15.el6 @base
    922 k virt-viewer i686 0.5.2-18.el6_4.2 @updates
    751 k virt-what i686 1.11-1.2.el6 @base
    35 k

    Transaction Summary
    ===============================================================================Remove 4 Package(s)

    Installed size: 7.1 M
    Is this ok [y/N]: y
    … Removed:
    virt-manager.i686 0:0.9.0-18.el6 virt-top.i686 0:1.0.4-3.15.el6
    virt-viewer.i686 0:0.5.2-18.el6_4.2 virt-what.i686 0:1.11-1.2.el6

    Complete!
    OPGX280 ~ #

    OPGX280 ~ :( # chkconfig|grep virt libvirt-guests 0:off 1:off 2:off 3:off 4:off 5:off 6:off libvirtd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

    reboot

    OK!!! Nice call on the virt*

    after reboot…

    OPGX280 ~ # /etc/rc.d/init.d/iptables status iptables: Firewall is not running.

    My goodness I would have never guessed that an unneeded package would have caused that – THANK YOU!

    Now I can move on to the work I need to do – Thank you again

LEAVE A COMMENT