From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4 Description of problem: system-config-securitylevel uses /etc/sysconfig/iptables to write its rules to. This has the unfortunate consequence of destroying whatever was there before and not allowing people to make their own modifications to those rules. I'd like s-c-sl to play nicer with the system. I think the easiest way to do this would be to modify /etc/init.d/iptables to read in two config files. The first file could be the one that s-c-sl writes out and would come with a big giant comment at the top saying to add changes to another file. The second one could be for people to add their own modifications to and would be read in after the s-c-sl/default file. See bug 138143 for what I'm talking about. Thoughts? Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Make your own changes to /etc/sysconfig/iptables. 2. Fire up s-c-securitylevel and use it to make some modifications. 3. Observe that your changes are gone. Additional info:
In my opinion it is not a good idea to use more than one config file for iptables, because there can be strange combinations this way, that would be very difficult to detect or explain to users. system-config-securitylevel should get enhanced to be able to parse existing /etc/sysconfig/iptables files.
I use simple script for iptables. And several files like init.d/ 10-raw 20-nat 30-input ... and use file for sed substitution like: s/$extif/eth0/ Script: #!/bin/ash ipt_home=/etc/ipt-script rm $ipt_home/ipt-final touch $ipt_home/ipt-final for table_file in `find $ipt_home -regex ".*[0-9][0-9].*$"|sort` ; do sed -f $ipt_home/ipt-sed $table_file >>$ipt_home/ipt-final ; done cat $ipt_home/ipt-final |/sbin/iptables-restore
This is no iptables problem. Closing as "NOT A BUG".