3

I'm having trouble modifying iptables configuration during a customized kickstart installation of CentOS 6. The kickstart process is installing several custom RPMs on top of a minimal ISO image. One of the rpms attempts to modify the iptables rules but after Anaconda completes the installation, the original default rules are still set in /etc/sysconfig/iptables.

I've tried using iptables (save|restore) but the iptables modules aren't available during the installation. iptables -L returns the error "can't initialize iptables 'filter': Table does not exist" and both save/restore commands fail to run.

After poking around I realized that the package system-config-firewall-base is installed and seems to be setting the default rules. Further, I see that my rules have been copied into /etc/sysconfig/iptables.old but I can't figure out what is causing that. I've tried adding Requires: system-config-firewall-base to my package in the hopes that I could change the rules in my %post after they've been set but that didn't work.

Installing this package after first boot sets up the rules correctly.

Any advice on how to correctly configure iptables during installation or else how to configure something to achieve this automatically on first boot?

Thanks.

Stefan Lasiewski
  • 23,667
  • 41
  • 132
  • 186
bfallik-bamboom
  • 227
  • 4
  • 7

3 Answers3

2

You best bet is to edit the /etc/sysconfig/iptables file directly in a script in the %post section of your kickstart file. This will run after you have installed your packages.

Red Tux
  • 2,074
  • 13
  • 14
  • Right, I've tried that and once installation completes, I switch over to VT2 to inspect the filesystem and /mnt/sysimage/etc/sysconfig/iptables contains the old, default settings. – bfallik-bamboom Jan 13 '12 at 14:24
  • I retried this approach and it seems to work. Not sure why my first attempt failed, but copying the custom iptables rules in a `%post --nochroot` kickstart section seems to work. – bfallik-bamboom Jan 13 '12 at 15:01
  • Ya I wondered if it had something to do with the root jail, good to know that it works without the root jail. – Red Tux Jan 13 '12 at 15:29
1

What firewall mods are you trying to do?

You can make firewall mods with kickstart

Ex to enable ssh (tcp 22) and http (tcp 80) put the following line in your kickstart

firewall --enabled --http --ssh

ckliborn
  • 2,778
  • 4
  • 25
  • 37
-1

I'll point out that there is a programmatic API for editing the iptables config file

Here is an example:

iptables -I INPUT -p tcp --dport 8880 -j ACCEPT
iptables -I INPUT -p tcp --dport 8443 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
service iptables restart
mlathe
  • 99
  • 2
  • 1
    This could suffer from a race condition if multiple users are running scripts like this. Better to change `iptables-save >/etc/sysconfig/iptables` to `command service iptables save`, and get rid of the `restart`. – Mark Lakata Jul 29 '14 at 23:01
  • @MarkLakata while kind of a corner case, still nice to know about the `save` command. I'm curious about your use of the `command` command. What is the purpose of doing it that way and not just `service iptables save` – mlathe Jul 31 '14 at 19:27
  • No good reason, it was just something I cut and paste from some other SO article :). I just learned what the purpose of the 'command' command is -- to prevent some alias called `service` to interfere. See http://ss64.com/bash/command.html – Mark Lakata Jul 31 '14 at 20:36
  • Yea... that was what i was thinking... Preventing someone from hijacking your `service` command somehow. – mlathe Aug 05 '14 at 00:01
  • This doesn't address the original problem. If you try to run these commands during the kickstart phase you will get "can't initialize iptables 'filter': Table does not exist" as already mentioned in the question. – Burhan Ali Sep 15 '14 at 16:49