1

Why after installing from scratch the iptables or upgrading the iptables

Then iptables from chkconfig display on ?

How to avoid chkconfig iptables on , after installling/upgradin iptables ?

  • remark we want to avoid to perform chkconfig iptables off after installing the iptables

Real example from my redhat machine version 6

service iptables status
Firewall is stopped. 

# chkconfig --list | grep iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

# chkconfig iptables off

# chkconfig --list | grep iptables
iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off



yum remove iptables
.
.
.


chkconfig --list | grep iptables

show nothing ( as should be )



yum install  iptables
.
.
.

After iptables was installed Successfully , We can see that chkconfig is on - why ?

# chkconfig --list | grep iptables
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

The critical problem with this is:

After reboot iptables service will be running and we want to avoid this

Please advise how to avoid iptables chkconfig on after installing iptables package

King David
  • 549
  • 6
  • 20
  • You could just remove the startup links in the corresponding /etc/rdX.d folders or try `chkconfig --del` instead of `chkconfig off`. – Broco Sep 20 '16 at 12:52
  • chkconfig --del give the same results , I mean after fress iptables installation and reboot service will be up – King David Sep 20 '16 at 12:56
  • I don't really get what you're trying to achieve. Why do you install iptables and then disable it? Also, why do you even install it if you don't want to use it? When you install iptables it creates the links for you, this is the default behaviour. – Broco Sep 20 '16 at 12:59
  • hi , we install all the patches VIA redhat sattelite , so we cant identify on which machine iptables is installed ( we have around 870 linux machines - so this is not simple ) – King David Sep 20 '16 at 13:01
  • With satellite you should know exactly what is installed on each machine. Your Errata should link to only those systems that are impacted and those are the ones that you apply it to. – HBruijn Sep 20 '16 at 13:09
  • we not prefer to disable the iptable rpm from the sattelite , we need to install all RPM as security bug fiz and so on on all machines , – King David Sep 20 '16 at 13:13

2 Answers2

1

Your question to why the iptables service gets enabled is quite simple to answer:

rpm -q --scripts iptables

...
postinstall scriptlet (using /bin/sh):
   /sbin/ldconfig
   /sbin/chkconfig --add iptables

the postinstall script included in the RPM packages calls chkconfig to enable the service.

Yum does not provide for an option not to run postinstall scripts, but rpm does, download the rpm before installing it manually. 

yumdownloader iptables
rpm -i --noscripts iptables.x86_64.x.y-z.rpm
HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • hi HBruijn - So what you said , that we need to perform after iptables installation - chkconfig iptables off on all our redhat machines ( around ~900 ) , otherwise after reboot the firewall will be active ( +1 for your answer ) – King David Sep 20 '16 at 13:08
  • If you want to install iptables but not run a firewall, yes. But the default firewall that gets installed is one that permits everything anyway... – HBruijn Sep 20 '16 at 13:12
  • HBruijn , what you think about the way - to rename the file - /etc/sysconfig/iptables to /etc/sysconfig/iptables-orig , in this case iptables service will not run after reboot - what you say ? – King David Sep 20 '16 at 13:15
  • You should be upgrading iptables only on systems that have it installed already. There is no need to install it on all your systems if you're just going to disable it. `-|-` The `/sbin/chkconfig --add iptables` in the postinstall won't change systems that already run with a disabled iptables service, but blindly disabling the iptables service on systems that do have it configured might be just as bad. – HBruijn Sep 20 '16 at 13:28
  • disabled iptables service - you mean to do chkconfig iptables off ? , or move the file /etc/init.d/iptables from /etc/init.d ? – King David Sep 20 '16 at 13:35
  • Indeed, disabling the iptables service with `chkconfig iptables off` is the correct way. Your idea breaks things and will trip you up in the future – HBruijn Sep 20 '16 at 13:40
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/45648/discussion-between-jogeff-and-hbruijn). – King David Sep 20 '16 at 13:45
  • yes , but as I expalain - chkconfig iptables off , will not help in case of installing new version of iptables , after reboot iptables will be runing , or maybe I miss something here -:( – King David Sep 20 '16 at 13:49
1

Well, if you can't control the behaviour of the RPM keeping re-enabling the service, you should configure iptables to meet your needs.

The easiest way would be to just comment any line in /etc/sysconfig/iptables. This will not load any rule and should be equal to not running.
Just moving or deleting it will be no solution, as the file will be installed by iptables-services on update or reinstall.

Thomas
  • 4,225
  • 5
  • 23
  • 28