there is a small typo in the 7.0 distribution in /etc/init.d/ipchains the problem is in the save function: /sbin/ipchains-save > $IPCHAINS_CONFIG 2>/dev/null && \ the "-v" was missing: /sbin/ipchains-save -v > $IPCHAINS_CONFIG 2>/dev/null && \ resulting in a zero byte file. thanks for your time, mark zen
Erhm, could it be that you have no chains set up? Here, ipchains-save works flawlessly. -v (print out every rule) prints out all rules to stderr besides stdout.
hopefully this documentation will help: [root@mailcity chain]# ipchains -L Chain input (policy ACCEPT): target prot opt source destination ports ACCEPT tcp ------ charon.Sun.COM mailcity.dotzen.org any -> telnet DENY tcp ----l- anywhere mailcity.dotzen.org any -> tcpmux:1024 Chain forward (policy DENY): target prot opt source destination ports MASQ all ------ 127.00.10.0/24 anywhere n/a Chain output (policy ACCEPT): Chain acct (0 references): [root@mailcity chain]# /etc/init.d/ipchains stop Flushing all chains: [ OK ] Removing user defined chains: [ OK ] Resetting built-in chains to the default ACCEPT policy: [ OK ] [root@mailcity chain]# vi /etc/init.d/ipchains [root@mailcity chain]# /etc/init.d/ipchains start Flushing all current rules and user defined chains: [ OK ] Clearing all current rules and user defined chains: [ OK ] Applying ipchains firewall rules: Creating chain `acct'. [ OK ] [root@mailcity chain]# ls -l /etc/sysconfig/ipchains -rw-r--r-- 1 root root 1726 Nov 9 15:29 /etc/sysconfig/ipchains [root@mailcity chain]# ipchains -L Chain input (policy ACCEPT): target prot opt source destination ports ACCEPT tcp ------ charon.Sun.COM mailcity.dotzen.org any -> telnet DENY tcp ----l- anywhere mailcity.dotzen.org any -> tcpmux:1024 Chain forward (policy DENY): target prot opt source destination ports MASQ all ------ 127.10.10.0/24 anywhere n/a Chain output (policy ACCEPT): Chain acct (0 references): [root@mailcity chain]# [root@mailcity chain]# ls -l /etc/sysconfig/ipchains -rw-r--r-- 1 root root 1726 Nov 9 15:29 /etc/sysconfig/ipchains [root@mailcity chain]# /etc/init.d/ipchains save Saving current rules to /etc/sysconfig/ipchains: [ OK ] [root@mailcity chain]# ls -l /etc/sysconfig/ipchains -rw-r--r-- 1 root root 0 Nov 9 15:37 /etc/sysconfig/ipchains [root@mailcity chain]# ipchains -L Chain input (policy ACCEPT): target prot opt source destination ports ACCEPT tcp ------ 192.9.25.10 mailcity.dotzen.org any -> telnet ^C [root@mailcity chain]# /etc/init.d/ipchains stop Flushing all chains: [ OK ] Removing user defined chains: [ OK ] Resetting built-in chains to the default ACCEPT policy: [ OK ] [root@mailcity chain]# rm /etc/sysconfig/ipchains rm: remove `/etc/sysconfig/ipchains'? y [root@mailcity chain]# /etc/init.d/ipchains start [root@mailcity chain]# ipchains -L Chain input (policy ACCEPT): Chain forward (policy ACCEPT): Chain output (policy ACCEPT): [root@mailcity chain]# ipchains -A forward -s 127.10.10.0/24 -j MASQ [root@mailcity chain]# ipchains -L Chain input (policy ACCEPT): Chain forward (policy ACCEPT): target prot opt source destination ports MASQ all ------ 127.10.10.0/24 anywhere n/a Chain output (policy ACCEPT): [root@mailcity chain]# ls -l /etc/sysconfig/ipchains ls: /etc/sysconfig/ipchains: No such file or directory [root@mailcity chain]# /etc/init.d/ipchains save Saving current rules to /etc/sysconfig/ipchains: [ OK ] [root@mailcity chain]# ls -l /etc/sysconfig/ipchains -rw-r--r-- 1 root root 0 Nov 9 15:43 /etc/sysconfig/ipchains [root@mailcity chain]# rm !$ rm /etc/sysconfig/ipchains rm: remove `/etc/sysconfig/ipchains'? y [root@mailcity chain]# /etc/init.d/ipchains start [root@mailcity chain]# ipchains -L Chain input (policy ACCEPT): Chain forward (policy ACCEPT): Chain output (policy ACCEPT): [root@mailcity chain]# ipchains -A forward -s 127.10.10.0/24 -j MASQ [root@mailcity chain]# ipchains -L Chain input (policy ACCEPT): Chain forward (policy ACCEPT): target prot opt source destination ports MASQ all ------ 127.10.10.0/24 anywhere n/a Chain output (policy ACCEPT): [root@mailcity chain]# ls -l /etc/sysconfig/ipchains ls: /etc/sysconfig/ipchains: No such file or directory [root@mailcity chain]# /etc/init.d/ipchains save Saving current rules to /etc/sysconfig/ipchains: [ OK ] [root@mailcity chain]# ls -l /etc/sysconfig/ipchains -rw-r--r-- 1 root root 112 Nov 9 15:45 /etc/sysconfig/ipchains
> hopefully this documentation will help: Well, '/etc/init.d/ipchains save' works fine at my end. I've even tested some of your examples, but have never got an empty /etc/sysconfig/ipchains as result. Raises the question whether you might be using a modified version of the ipchains wrapper script. # rpm -qf /etc/init.d/ipchains ipchains-1.3.9-17 # md5sum /etc/init.d/ipchains 2b7f11ad7943ae8c606cc9e63ca7e226 /etc/init.d/ipchains Just curious...
[root@mailcity /root]# rpm -qf /etc/init.d/ipchains ipchains-1.3.9-17
md5sum /etc/init.d/ipchains 85c16990ce34a91f857fc7deb3d4d29a /etc/init.d/ipchains
> # md5sum /etc/init.d/ipchains > 85c16990ce34a91f857fc7deb3d4d29a /etc/init.d/ipchains Hmm, judging by the wrong fingerprint I take it this is your modified version of the script? ;-) $ rpm --verify ipchains Btw, have you ever tried the "ipchains-save" command directly? I still don't see why you think you need to add '-v'. But I think I leave this issue to the Red Hat people now...
This seems to work fine here.