Red Hat Bugzilla – Bug 175947
/etc/init.d/iptables should read two rules files
Last modified: 2007-11-30 17:11:19 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Description of problem:
system-config-securitylevel uses /etc/sysconfig/iptables to write its rules to. This has the unfortunate consequence of destroying whatever was there before and not allowing people to make their own modifications to those rules. I'd like s-c-sl to play nicer with the system.
I think the easiest way to do this would be to modify /etc/init.d/iptables to read in two config files. The first file could be the one that s-c-sl writes out and would come with a big giant comment at the top saying to add changes to another file. The second one could be for people to add their own modifications to and would be read in after the s-c-sl/default file.
See bug 138143 for what I'm talking about.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Make your own changes to /etc/sysconfig/iptables.
2. Fire up s-c-securitylevel and use it to make some modifications.
3. Observe that your changes are gone.
In my opinion it is not a good idea to use more than one config file for
iptables, because there can be strange combinations this way, that would be very
difficult to detect or explain to users.
system-config-securitylevel should get enhanced to be able to parse existing
I use simple script for iptables. And several files like init.d/
and use file for sed substitution like: s/$extif/eth0/
for table_file in `find $ipt_home -regex ".*[0-9][0-9].*$"|sort` ;
do sed -f $ipt_home/ipt-sed $table_file >>$ipt_home/ipt-final ;
cat $ipt_home/ipt-final |/sbin/iptables-restore
This is no iptables problem. Closing as "NOT A BUG".