Iptables status issue
Iptables status issue
Hello, I am running a fresh install of Centos 5. Kernel is 2.6.18. I do not have a GUI or any GUI-tools installed. The issue is that "service iptables status" should return the running status of the firewall. It works just fine on my 4.4 installs. However, when I run the command on my two new version 5 boxes, I receive a single line result "Table: filter." Typically, this command should show the status of the firewall and the currently loaded ruleset. Any ideas on if this is a bug or feature change? I read the entire section in the RHEL 5 manual on Iptables and did not see any mention of changes to this. Thanks.
-
- Posts: 1478
- Joined: 2006/05/29 16:50:11
- Location: San Francisco, CA
Re: Iptables status issue
I don't have a CentOS 5 box so I can't check this for myself, but you could try running "sh -x /etc/init.d/iptables restart" and look at the verbose output to see what it's doing or not doing.
Also, what happens if you bypass it and instead run "/sbin/iptables -L" to check the status?
Also, what happens if you bypass it and instead run "/sbin/iptables -L" to check the status?
Re: Iptables status issue
Michelnel,
Thanks for the reply. I ran the shell command, but I am not sure how to read all of that. It appears as I would guess it would be, but I am relative newbie and that is a bit much for me to analyze.:) I see it flushing the tables and appearing to apply the configured rules. Is there a specific thing I should be looking for in all of that output?
As for your second point, the Iptables list command does pull the proper tables config. Does that mean it is working even if service iptables status does not return the same thing? Again, the status command only displays the single line "Table: filter" and nothing else. Odd.
Thanks for the reply. I ran the shell command, but I am not sure how to read all of that. It appears as I would guess it would be, but I am relative newbie and that is a bit much for me to analyze.:) I see it flushing the tables and appearing to apply the configured rules. Is there a specific thing I should be looking for in all of that output?
As for your second point, the Iptables list command does pull the proper tables config. Does that mean it is working even if service iptables status does not return the same thing? Again, the status command only displays the single line "Table: filter" and nothing else. Odd.
-
- Posts: 1478
- Joined: 2006/05/29 16:50:11
- Location: San Francisco, CA
Re: Iptables status issue
Yes, I would say that if "iptables -L" is showing the firewall to be configured as you want it, then yes, it is working regardless of what /etc/init.d/iptables status says.
If I had CentOS 5 I could check this, but it seems too buggy for my production servers at this point.
If I had CentOS 5 I could check this, but it seems too buggy for my production servers at this point.
Re: Iptables status issue
The command 'service iptables status' should produce an output;
service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Maybe one of the kernel bugs fixed in the next kernel fixes the issue; http://lwn.net/Articles/232334/
service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Maybe one of the kernel bugs fixed in the next kernel fixes the issue; http://lwn.net/Articles/232334/
Re: Iptables status issue
michelnel,
That brings up an interesting question. When would you consider rolling out v5 to your production environment. With all of the testing that occurs upstream, I trust it a lot more than I will Longhorn when it hits the vendors.
That brings up an interesting question. When would you consider rolling out v5 to your production environment. With all of the testing that occurs upstream, I trust it a lot more than I will Longhorn when it hits the vendors.
Re: Iptables status issue
Lenard,
Thank you for the advice. I didn't see anything directly related in the release notes, but I upgraded to the new kernel to test it. After reloading the VMware Tools, I was able to see that the firewall is reporting the same information (or lack of information) as before. It doesn't appear to be kernel-related. Iptables -L still works fine, but the status command doesn't show the tables.
J
Thank you for the advice. I didn't see anything directly related in the release notes, but I upgraded to the new kernel to test it. After reloading the VMware Tools, I was able to see that the firewall is reporting the same information (or lack of information) as before. It doesn't appear to be kernel-related. Iptables -L still works fine, but the status command doesn't show the tables.
J
-
- Posts: 1478
- Joined: 2006/05/29 16:50:11
- Location: San Francisco, CA
Re: Iptables status issue
[quote]
jcf71 wrote:
michelnel,
When would you consider rolling out v5 to your production environment.[/quote]
A few months after 5.1 is released (assuming they work out an upgrade-in-place strategy that works), earlier only if I am forced to for some reason.
jcf71 wrote:
michelnel,
When would you consider rolling out v5 to your production environment.[/quote]
A few months after 5.1 is released (assuming they work out an upgrade-in-place strategy that works), earlier only if I am forced to for some reason.
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: Iptables status issue
service iptables status works fine for me, but I am only running ipv4.
Are you running ivp6?
/etc/init.d/iptables is just a shell script. You can add debugging echo statements to the status function
and run 'service iptables status' to see what it is doing.
Are you running ivp6?
/etc/init.d/iptables is just a shell script. You can add debugging echo statements to the status function
and run 'service iptables status' to see what it is doing.