CentOS 7 – Iptables Service Failed To Start
Hello all:
I did a fresh install of CentOS 7 on a new machine.
I wrote /usr/local/bin/firewall.stop to remove all the firewall rules. It contains this code:
# Flush the rules
/usr/sbin/iptables -F
# Set the default policies to accept
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
I wrote /usr/local/bin/firewall.start to set the firewall rules. It contains this code:
# IP definitions ETH0_IP=a.b.c.d
# Load the FTP conntrak module
/usr/sbin/modprobe nf_conntrack_ftp
# Set the default policies to drop all packets
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT DROP
/usr/sbin/iptables -P FORWARD DROP
# Flush any existing rules
/usr/sbin/iptables -F
# Allow loopback traffic
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Allow icmp protocol packets
/usr/sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT
[ Additional allow rules here ]
If I run the firewall.start script manually, it sets the iptables rules correctly. If I run the firewall.stop script manually, it removes the iptables rules correctly.
The problem comes in when I am trying to execute this from systemd.
I wrote /etc/systemd/system/firewall.service with this content:
[Unit]
Description=Iptables firewall Before=network.target Wants=network.target
[Service]
Type=oneshot ExecStart=/usr/local/bin/firewall.start ExecStop=/usr/local/bin/firewall.stop RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
Now, when I run systemctl start firewall.service, I get this output:
Job for firewall.service failed. See ‘systemctl status firewall.service’ and
‘journalctl -xn’ for details.
If I do systemctl status firewall.status, it gives me:
firewall.status.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
journalctl -xn gives me this output:
Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Starting Iptables firewall…
— Subject: Unit firewall.service has begun with start-up
— Defined-By: systemd
— Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
4 thoughts on - CentOS 7 – Iptables Service Failed To Start
Hey everyone:
I just realized I forgot to put #!/bin/sh at the top of my firewall scripts. I added that and it is working perfectly fine now.
Sorry for any trouble.
Thanks,
Neil
You are missing a first line:
#!/bin/sh
And that’s the error expected.
You might want to look into using the regular iptables service instead od custom firewall scripts. The service uses iptables-save and iptables-restore which are designed to install all iptables rules atomically. If you end up with a typo in your script you end up with a partially initialized firewall but iptables-restore first parses the entire rule set and doesn’t touch the current rules at all if it finds an error making the process much more robust.
Regards,
Dennis
Try systemctl stop firewalld, I had to disable that too
Adam King IT Systems Administrator Skipton Girls High School
01756 707600
http://www.sghs.org.uk
—– Original Message —