3

I have a hostgator VPS that has a CENT OS. When I stop the VPS and start it again, the changes I've made to the IPTABLES won't save I've tried to save the IPTABLES and to no avail. Every time I restart the server I have to run the following in order to get the IPTABLES how I need them:

iptables -I INPUT -p tcp --dport 3000 --syn -j ACCEPT
sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3000

The first command opens port 3000 and the second command redirects port 80 traffic to port 3000.

When I restart or completely stop the VPS and start it again the IPTABLES startup as if I never saved them and go back to the default when I first got the VPS.

I've tried all these commands and still no joy.

I'm considering just writing a script to run the commands I need to configure the IPTABLES. Any suggestions?

FYI: I edited the /etc/sysconfig/iptables and did a service iptables save and no luck, once rebooted it went back to Host Gator's configuration upon reset of the VPS.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
ConfusedDeer
  • 217
  • 3
  • 11

3 Answers3

7

In order to have the iptables rules stay in place after a reboot, you have to explicitly set that.

In CentOS, after your rules are in place, you can run:

/sbin/service iptables save

More info here: https://library.linode.com/securing-your-server#sph_creating-a-firewall (See point #10)

paintedbicycle
  • 199
  • 1
  • 3
  • 15
  • Tried `/sbin/service iptables save` and the tables still did not save after I restarted the server. – ConfusedDeer Jun 30 '14 at 13:54
  • @ConfusedDeer Have you been able to confirm that the rules are working after you save them, but then not after restart? When you run `sudo iptables -L` what do you see in both cases? View point #2 in that link to see an "empty" ruleset and compare it to yours. – paintedbicycle Jun 30 '14 at 13:58
  • After I apply the rules, save the IPTABLES, I confirm they changed by verifying port 3000 is now accepting requests and port 80 rqsts are being re-directed. I also copy the IPTABLES file to a text file, and I restart the server, putty back into my server and restart the node.js server and port 3000 is no longer accessible and port 80 rqsts are not being forwarded to port 3000. I go to the iptables file and do a diff and notice my changes are no longer there. I run the two commands listed and everything works again. – ConfusedDeer Jun 30 '14 at 14:02
  • @ConfusedDeer You'll need to also make sure the OS reloads the rules from the file you save them too during boot. The Linode guide does that in points 11-14 of the same section. Here is a link specifically for CentOS: http://unix.stackexchange.com/questions/71661/iptables-rules-not-reloading-on-centos-6-x – paintedbicycle Jun 30 '14 at 14:07
  • Thanks for your help. I'll try this out when I get back from work and update this ticket. – ConfusedDeer Jun 30 '14 at 14:15
  • It's working properly now with the tech support suggestion. – ConfusedDeer Jul 01 '14 at 14:16
3

I sent an email yesterday night (before I posted this question) and I finally got a response from a Linux Administrator at Host Gator (I'll update if this works):

Hello there!

HostGator has built a custom firewall that's in place by default on all VPS and dedicated server plans.

Luckliy, there is a file in the firewall configuration that is meant to persist iptables configurations.

The file is this: /etc/firewall/INCLUDE

Just add your iptables lines to that file, and restart the firewall with service firewall restart. The iptables rules will persist.

Actually, I've gone ahead and added those lines to the file, so your iptables rules should load and persist now.

Please don't hesitate to follow up if you have any more questions or concerns.

I requested the following rules to be added when I called Host Gator, but it didn't work, because when he told me to add them I didn't add "iptables" before the rules. The following is what the Linux Admin at Host Gator added. I copied this text over from the /etc/firewall/INCLUDE file:

iptables INPUT -p tcp -m tcp --dport 3000 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
iptables -A INPUT -j acctboth
iptables -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3000

iptables -I INPUT -p tcp --dport 3000 --syn -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3000
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
ConfusedDeer
  • 217
  • 3
  • 11
1

I found several references on the Internet that indicate that HostGator installs a custom firewall script on their VPS and dedicated servers. However I wasn't able to find any instructions on how it was installed or how to get rid of it. I would contact HostGator for further information, or consider switching to another provider.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • 1
    "Is it the default HG dedicated server setup? We have a script that is installed (/usr/sbin/firewall) that makes some iptables administration easier. If you add your rule to /etc/firewall/INCLUDE, it should work on reboot." From URL http://forums.hostgator.com/iptables-generation-problem-t110957.html?s=e51167fb78d03b72d9ef531eb7834e4d& – John Auld Jun 30 '14 at 15:58
  • That sounds the same as the information I was able to find. But I wouldn't recommend using their custom firewall _at all_. – Michael Hampton Jun 30 '14 at 15:59
  • I didn't notice that you posted this. It's essentially what they said in their response below. – ConfusedDeer Jun 30 '14 at 16:49