[CentOS] Firewall will not disable - stumped!
very perplexed here - I need to turn off iptables. Ive tried service iptables save service iptables stop chkconfig iptables off service ip6tables save service ip6tables stop chkconfig ip6tables off edited OPGX280 ~ # cat /etc/sysconfig/system-config-firewall # Configuration file for system-config-firewall --disabled --service=ssh OPGX280 ~ :( # cat /etc/selinux/config SELINUX=disabled OPGX280 ~ :( # chkconfig |grep ip ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipmievd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off iptables0:off 1:off 2:off 3:off 4:off 5:off 6:off ipvsadm 0:off 1:off 2:off 3:off 4:off 5:off 6:off Yet - when I reboot iptables gets started - if I run OPGX280 ~ # /etc/rc.d/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:53 2ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:53 3ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:67 4ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:67 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/0192.168.122.0/24state RELATED,ESTABLISHED 2ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable 5REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable Note -- 192.168.122.0/24 is NOT my network, I just want the status to tell me iptables is NOT running What else can I look for?? Thanks Bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall will not disable - stumped!
On 7 July 2013 20:57, Bob Metelsky bob.metel...@gmail.com wrote: very perplexed here - I need to turn off iptables. Ive tried service iptables save service iptables stop chkconfig iptables off service ip6tables save service ip6tables stop chkconfig ip6tables off edited OPGX280 ~ # cat /etc/sysconfig/system-config-firewall # Configuration file for system-config-firewall --disabled --service=ssh OPGX280 ~ :( # cat /etc/selinux/config SELINUX=disabled OPGX280 ~ :( # chkconfig |grep ip ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipmievd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off iptables0:off 1:off 2:off 3:off 4:off 5:off 6:off ipvsadm 0:off 1:off 2:off 3:off 4:off 5:off 6:off Yet - when I reboot iptables gets started - if I run OPGX280 ~ # /etc/rc.d/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:53 2ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:53 3ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:67 4ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:67 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/0192.168.122.0/24state RELATED,ESTABLISHED 2ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable 5REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable Note -- 192.168.122.0/24 is NOT my network, I just want the status to tell me iptables is NOT running What else can I look for?? Thanks Bob ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Hi Bob, I am just shooting in the dark here, have you tried /sbin/iptables -F -- Kind Regards Earl Ramirez ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall will not disable - stumped!
this is very strange I ran your flush command.. worked untill reboot I came across this article http://www.thegeekstuff.com/2011/01/redhat-iptables-flush/ Basically tell me how to save a wide open rules file - I did this and behaved like the doc describes This is what I have now OPGX280 ~ :( # cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Sun Jul 7 09:14:11 2013 *filter :INPUT ACCEPT [32:4712] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [40:5160] COMMIT # Completed on Sun Jul 7 09:14:11 2013 - until I reboot then I get the same jibberish... OPGX280 ~ # /etc/rc.d/init.d/iptables status Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1MASQUERADE tcp -- 192.168.122.0/24!192.168.122.0/24masq ports: 1024-65535 2MASQUERADE udp -- 192.168.122.0/24!192.168.122.0/24masq ports: 1024-65535 3MASQUERADE all -- 192.168.122.0/24!192.168.122.0/24 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Table: mangle Chain PREROUTING (policy ACCEPT) num target prot opt source destination Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1CHECKSUM udp -- 0.0.0.0/00.0.0.0/0 udp dpt:68 CHECKSUM fill Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:53 2ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:53 3ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:67 4ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:67 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/0192.168.122.0/24state RELATED,ESTABLISHED 2ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable 5REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) num target prot opt source destination I don't understand what or why iptables is being called? I believe anything in /etc/rc.d/init.d/* will get run on startup. If I move those files out of there - obviously the command wont work - but I need to understand whats going on I want status to tell me OFF /etc/rc.d/init.d/iptables status On Sun, Jul 7, 2013 at 9:02 AM, Earl A Ramirez earlarami...@gmail.comwrote: On 7 July 2013 20:57, Bob Metelsky bob.metel...@gmail.com wrote: very perplexed here - I need to turn off iptables. Ive tried service iptables save service iptables stop chkconfig iptables off service ip6tables save service ip6tables stop chkconfig ip6tables off edited OPGX280 ~ # cat /etc/sysconfig/system-config-firewall # Configuration file for system-config-firewall --disabled --service=ssh OPGX280 ~ :( # cat /etc/selinux/config SELINUX=disabled OPGX280 ~ :( # chkconfig |grep ip ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipmievd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off iptables0:off 1:off 2:off 3:off 4:off 5:off 6:off ipvsadm 0:off 1:off 2:off 3:off 4:off 5:off 6:off Yet - when I reboot iptables gets started - if I run OPGX280 ~ # /etc/rc.d/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:53 2ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:53 3ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:67 4ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:67 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/0192.168.122.0/24state RELATED,ESTABLISHED 2ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable 5REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable Note --
Re: [CentOS] Firewall will not disable - stumped!
Am 07.07.2013 14:57, schrieb Bob Metelsky: very perplexed here - I need to turn off iptables. Ive tried Why do you have to turn off the local firewall? service iptables save service iptables stop chkconfig iptables off service ip6tables save service ip6tables stop chkconfig ip6tables off edited OPGX280 ~ # cat /etc/sysconfig/system-config-firewall # Configuration file for system-config-firewall --disabled --service=ssh OPGX280 ~ :( # cat /etc/selinux/config SELINUX=disabled Bad practice. OPGX280 ~ :( # chkconfig |grep ip ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipmievd 0:off 1:off 2:off 3:off 4:off 5:off 6:off ipsec 0:off 1:off 2:off 3:off 4:off 5:off 6:off iptables0:off 1:off 2:off 3:off 4:off 5:off 6:off ipvsadm 0:off 1:off 2:off 3:off 4:off 5:off 6:off Yet - when I reboot iptables gets started - if I run OPGX280 ~ # /etc/rc.d/init.d/iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:53 2ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:53 3ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:67 4ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:67 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/0192.168.122.0/24state RELATED,ESTABLISHED 2ACCEPT all -- 192.168.122.0/24 0.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable 5REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-port-unreachable Note -- 192.168.122.0/24 is NOT my network, I just want the status to tell me iptables is NOT running That's a VMware (ESXi or such) based virtual machine, right? 192.168.122.0/24 is the default VMware NAT network assignment. It comes from the VMware tools. These tools take care that a NAT network setup will work. What else can I look for?? Thanks Bob Alexander P.S. If you reply then please follow the general rule to not top-post and to trim your quotes. Thanks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall will not disable - stumped!
On 07.Jul.2013, at 14:57, Bob Metelsky wrote: very perplexed here - I need to turn off iptables. Ive tried … Yet - when I reboot iptables gets started - if I run ... Note -- 192.168.122.0/24 is NOT my network This could be the default network from libvirt. The kvm host does NAT from that network if the guest is configured to use it. You can undefine it with some virsh foo $ virsh net-destroy default $ virsh net-undefine default -- Markus Falb ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Firewall will not disable - stumped!
On Sun, Jul 7, 2013 at 9:38 AM, Alexander Dalloz ad+li...@uni-x.org wrote: Am 07.07.2013 14:57, schrieb Bob Metelsky: very perplexed here - I need to turn off iptables. Ive tried Why do you have to turn off the local firewall? OPGX280 ~ :( # cat /etc/selinux/config SELINUX=disabled Bad practice. Alexander P.S. If you reply then please follow the general rule to not top-post and to trim your quotes. Thanks. I appreciate the admonitions on bad practices - but for now I need to understand why something is happening and stop it OPGX280 ~ # yum remove virt* Package ArchVersion Repository Size Removing: virt-manageri6860.9.0-18.el6 @base 5.4 M virt-topi6861.0.4-3.15.el6 @base 922 k virt-viewer i6860.5.2-18.el6_4.2 @updates 751 k virt-what i6861.11-1.2.el6 @base 35 k Transaction Summary Remove4 Package(s) Installed size: 7.1 M Is this ok [y/N]: y ... Removed: virt-manager.i686 0:0.9.0-18.el6 virt-top.i686 0:1.0.4-3.15.el6 virt-viewer.i686 0:0.5.2-18.el6_4.2 virt-what.i686 0:1.11-1.2.el6 Complete! OPGX280 ~ # OPGX280 ~ :( # chkconfig|grep virt libvirt-guests 0:off 1:off 2:off 3:off 4:off 5:off 6:off libvirtd0:off 1:off 2:off 3:off 4:off 5:off 6:off reboot OK!!! Nice call on the virt* after reboot... OPGX280 ~ # /etc/rc.d/init.d/iptables status iptables: Firewall is not running. My goodness I would have never guessed that an unneeded package would have caused that - THANK YOU! Now I can move on to the work I need to do - Thank you again ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
