Bug 981579
| Summary: | 'service iptables start' can not really start the firewall. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | JianHong Yin <jiyin> |
| Component: | iptables | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED NOTABUG | QA Contact: | qe-baseos-daemons |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | iptables-maint-list, jiyin, qcai |
| Target Milestone: | beta | ||
| Target Release: | 7.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-08-07 07:02:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
JianHong Yin
2013-07-05 07:50:15 UTC
Have you created a firewall configuration for use with the ip*tables services? If not then this is the source of the absence of a firewall rules. The ip*tables services are not providing firewall rules.. The firewall configuration for the ip*tables services have been created using lokkit at installation time with anaconda in the past. Since the move to firewalld, there is no firewall configuration for the ip*tables services created anymore. The ip*tables services are available for installations, where a static, custom or user/admin provided firewall is needed. In RHEL6 RHEL5 there is no need create a configuration file first. First when I login the system. the firewall worked(I can not telnet some port). then I service stop the iptables. no effect. I still can not access my port, and until I uninstall iptables, telnet ok. after that I yum reinstall the package, and service iptables start. firewall not work. I use the latest RHEL-7.0-20130628.0; RHEL-7 is using firewalld. The ip*tables services are there only for compatibility - for updated systems and static, custom or user/admin provided firewalls. The ip*tables services are not used for firewalld, but the ip*tables command line clients. Therefore a start or stop of the services do not have any effect. The services are neither enabled nor active. While you have uninstalled iptables, you should have seen that there is a requirement for the iptables package from firewalld. If you force uninstall a package, you should make sure that everything that needs the package will be working afterwards again. It is expected behaviour that the firewall is not working after a forced uninstall of the iptables package. You have to restart firewalld to get it working again. For more information on firewalld, please have a look at https://fedorahosted.org/firewalld/ and https://fedoraproject.org/wiki/FirewallD for compatibility, backward compatible.
we need service ip*tables work ok. and many script of custom or admin need.
service xxx {start|stop|...} need Redirecting to right systemd service. and it should work fine.
e.g. service nfs start can work fine in rhel7
For RHEL-7: Use firewalld and the firewalld service. The ip*tables services in RHEL-7 are working, but you have not provided firewall rules for these services. The iptables packages never provided any firewall rules for use with the ip*tables services. system-config-firewall/lokkit was used to create the firewall rules for the services at installation time. OK. but in default install I cannot telnet 2049 port. is there some default rule? and the 'service iptables stop' cannot disable the firewall. utils uninstall iptables. firewalld is active and the port is blocked because of the default firewall configuration firewalld provides. Use "systemctl stop firewalld" or "service firewalld stop" to stop firewalld. |