Bug 981579 - 'service iptables start' can not really start the firewall.
'service iptables start' can not really start the firewall.
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: iptables (Show other bugs)
All Linux
unspecified Severity medium
: beta
: 7.0
Assigned To: Thomas Woerner
Depends On:
  Show dependency treegraph
Reported: 2013-07-05 03:50 EDT by Yin.JianHong
Modified: 2013-08-07 03:02 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-07 03:02:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Yin.JianHong 2013-07-05 03:50:15 EDT
Description of problem:
exec 'service iptables start' return 0. but in fact the iptable not run.
the service iptables stop have the same problem.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. yum install iptables
2. service iptables start 
3. service iptables status

Actual results:
iptables not run.   telnet $ip 2049    can connect

Expected results:
iptables work fine.  telnet $ip 2049   get 'no route to host'

Additional info:
  and  'service iptables stop' cannot work also.
Comment 2 Thomas Woerner 2013-07-05 05:50:23 EDT
Have you created a firewall configuration for use with the ip*tables services? If not then this is the source of the absence of a firewall rules. The ip*tables services are not providing firewall rules..

The firewall configuration for the ip*tables services have been created using lokkit at installation time with anaconda in the past. Since the move to firewalld, there is no firewall configuration for the ip*tables services created anymore.

The ip*tables services are available for installations, where a static, custom or user/admin provided firewall is needed.
Comment 3 Yin.JianHong 2013-07-05 06:31:21 EDT
In RHEL6 RHEL5 there is no need create a configuration file first.

First when I login the system. the firewall worked(I can not telnet some port).
then I service stop the iptables. no effect.
I still can not access my port, and until I uninstall iptables, telnet ok.

after that I yum reinstall the package, and service iptables start.
firewall not work.

I use the latest RHEL-7.0-20130628.0;
Comment 4 Thomas Woerner 2013-07-05 06:58:48 EDT
RHEL-7 is using firewalld. The ip*tables services are there only for compatibility - for updated systems and static, custom or user/admin provided firewalls.

The ip*tables services are not used for firewalld, but the ip*tables command line clients. Therefore a start or stop of the services do not have any effect. The services are neither enabled nor active.

While you have uninstalled iptables, you should have seen that there is a requirement for the iptables package from firewalld. If you force uninstall a package, you should make sure that everything that needs the package will be working afterwards again. It is expected behaviour that the firewall is not working after a forced uninstall of the iptables package. You have to restart firewalld to get it working again.

For more information on firewalld, please have a look at https://fedorahosted.org/firewalld/ and https://fedoraproject.org/wiki/FirewallD
Comment 5 Yin.JianHong 2013-07-07 22:19:39 EDT
for compatibility, backward compatible.
we need service ip*tables work ok. and many script of custom or admin need.

service xxx {start|stop|...} need Redirecting to right systemd service. and it should work fine.

e.g. service nfs start can work fine in rhel7
Comment 6 Thomas Woerner 2013-07-08 05:07:18 EDT
For RHEL-7: Use firewalld and the firewalld service.

The ip*tables services in RHEL-7 are working, but you have not provided firewall rules for these services. The iptables packages never provided any firewall rules for use with the ip*tables services. system-config-firewall/lokkit was used to create the firewall rules for the services at installation time.
Comment 7 Yin.JianHong 2013-07-08 06:19:26 EDT
OK. but in default install I cannot telnet 2049 port. is there some default rule?

and the 'service iptables stop' cannot disable the firewall. utils uninstall iptables.
Comment 8 Thomas Woerner 2013-07-08 06:34:46 EDT
firewalld is active and the port is blocked because of the default firewall configuration firewalld provides.

Use "systemctl stop firewalld" or "service firewalld stop" to stop firewalld.

Note You need to log in before you can comment on or make changes to this bug.