30

Specifically

I have an iptables ruleset defined on a server running CentOS. Am I guaranteed / can I guarantee / how can I guarantee that when networking comes online (either at machine boot, or after restarting the network service) the iptables ruleset is already applied (and if iptables failed to start up or failed to apply the ruleset the network interface will fail to come up)?

(I know this is a noob question, but I've never run a server on anything but trusted networks behind a masquerading DHCP NAT and a firewall, so... expect noob questions from noobs.)

Parthian Shot
  • 1,205

3 Answers3

18

Out of the box, you are guaranteed that iptables will start before the interface is brought up by the order of the startup scripts. Look at the "chkconfig" line in each startup script and you will see the runlevels it is "on" when active, the start order, and the stop order.

You are not guaranteed that the interface will not be brought up if the iptables ruleset was not applied properly (or at all).

Example:
chkconfig: 2345 08 92
This line states that the service in question will be active in runlevels 2, 3, 4, and 5, and will start at 8 and stop at 92. Anything with a greater "start" value will start only after this script completes, but this script erroring out is considered a completion and will not prevent downstream scripts from running.

Please note this answer applies to CentOS 6 and earlier, not necessarily to CentOS 7. I haven't personally researched 7 sufficiently to answer this question for 7.

John
  • 9,208
  • 1
  • 32
  • 34
1

You can also use the ifup-post option in centos:

/etc/sysconfig/network-scripts/ifup-post

Called when any network device EXCEPT a SLIP device comes up. Calls /etc/sysconfig/network-scripts/ifup-routes to bring up static routes that depend on that device. Calls /etc/sysconfig/network-scripts/ifup-aliases to bring up aliases for that device. Sets the hostname if it is not already set and a hostname can be found for the IP for that device. Sends SIGIO to any programs that have requested notification of network events.

Could be extended to fix up nameservice configuration, call arbitrary scripts, etc, as needed.

This script runs and after the above ( ifup-route and ifup-aliases )it looks for ifup-local

if [ -x /sbin/ifup-local ]; then
   /sbin/ifup-local ${DEVICE}
fi

So you can create this file and make sure it calls iptables again for example using iptables-restore: 

iptables-restore < /etc/sysconfig/iptables
Moti
  • 297
1

A little addendum: to ensure the needed rules will be there next time you boot the server, save it with

sudo sh -c "iptables-save > /etc/iptables.rules"
manu
  • 11