current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems.. It's 100% free, no registration required.
up vote 7 down vote favorite
2

Editing this file directly

/etc/sysconfig/iptables

can save me so much headaches so much time and so on...

and yet on the very top of the file it says..

Manual customization of this file is not recommended.

here is the '/etc/sysconfig/iptables' that just came with a brand new centos 6.4 cloud server.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

to open port 80 i can simply clone the line..

    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

and then change "22" to "80" and then save this file and then reboot the whole system.

this will open port 80 for me.

this is pretty simple operation. and yet the file says manual editing is not recommended.

why should i follow the advice ?

share|improve this question
add comment

2 Answers 2

up vote 8 down vote

Because the tool called system-config-firewall(or it´s ncurses based brother system-config-firewall-tui) manages this file. Every time you use this tool to create new iptables rules, it will overwrite /etc/sysconfig/iptables.

Related Manpage: 28.1.16. /etc/sysconfig/iptables-config

This is why it's not recommended, but not prohibited. The best way to save your rules using CentOS or any other EL version 6 is using the iptables service after your add some rules on memory:

# service iptables save

Related question: Why iptables does not fetch information from /etc/sysconfig/iptables on centOs?

Reasons to not edit this file(/etc/sysconfig/iptables) directly:

  • Because it is an auto-generated file. The contents of it comes from the script/daemon /etc/init.d/iptables.
  • Some actions like resetting or stopping the iptables daemon may result on data loss, since it will overwrite the file. Interesting variables on this subject: IPTABLES_SAVE_ON_STOP="" and IPTABLES_SAVE_ON_RESTART="" inside the /etc/sysconfig/iptables-config file. Maybe, tuning those will make your changes inside /etc/init.d/iptables persistent.
  • Because the documentation said so.Red Hat advises that this is the best method to use their firewall infrastructure.

An alternative solution to this "overwrite my firewall rules" mindf*** is to totally disable those scripts and rely on a customized method of managing the firewall, like the one exposed by goldilocks.

share|improve this answer
    
This sounds more like an argument against mix and matching editing the file directly and adding rules using the system-config-firewall tool. Can you expand on why it's bad to edit the file in lieu of ever using the tool? –  Michelle 2 days ago
    
Added additional info. Thanks for the tip @Michelle –  nwildner yesterday
add comment
up vote 4 down vote

and yet on the very top of the file it says..

Hmmm, that's strange. At the top of mine it says:

# Manual customization of this file is strongly encouraged.

Someone must have changed it ;) And in fact even moved it out of /etc/sysconfig so it would not get "auto uncustomized" by the package manager or anything else ;) ;)

I think the point here in general with such config files is if you don't know what you are doing, don't do it. Sometimes there is also the warning that the file does get overwritten by the system occasionally. This could be by the package manager on upgrades -- although sometimes the PM will note a file has been changed manually and not overwrite it, or save a copy, etc -- and it could be some other tool that is responsible for this configuration in particular (see nwildner's answer).

Part of "knowing what you are doing" is to be aware of angles like this. I also customized the init service for iptables to use a different location for the config file, and most importantly: I'm the only one that uses this computer.

Presuming there are other people with root access, I would not do this on a server I'm responsible for unless there was a better reason than "I prefer it this way", because it will likely lead to confusion and give someone else a headache at some point. But if you are the only user and no one else depends on the system, then you are free to do what you want. My "preferred method" for configuring the firewall looks like this:

#!/bin/bash

if [[ ! -n "$IPTSET_FILE" ]]; then
        IPTSET_FILE=/etc/iptables.current
fi

if [[ ! -e $IPTSET_FILE ]]; then
        echo "$IPTSET_FILE does not exist!"
        exit 1
fi

vim $IPTSET_FILE
iptables-restore < $IPTSET_FILE

/etc/iptables.current is created at boot by copying /etc/iptables (which the iptables service is configured to load initially). This way I can modify things on the fly while maintaining a reference point that the system starts from.

Which brings us to an important point, if you do want to fool around with configurations that contain this sort of warning: Always create a backup copy of the original first.

share|improve this answer
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.