search cancel

New Port do not persist configured in Iptables after gateway reboot

book

Article ID: 240231

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We've configured a new port (10050) in firewall rules by the policy manage interface. This port is used for Zabbix Agent.

We have a gateway cluster and some nodes configure this port in iptables during the restart, while others not.

In the examples below host editedx053 is not configuring the port 10050 in iptables, the editedx054 is OK.

 

Looking in files, we see that both nodes have the port 10050 configured in gateway files:

##########################################################################

[[email protected] firewall]# cat rules.d/e45b76553f4cee8322880ff02a7f2b5f-listen_ports
*filter
[0:0] -A INPUT  -p tcp -m tcp --dport 8443 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 9443 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 2124 -j ACCEPT
COMMIT

[[email protected] firewall]#

[[email protected] firewall]# cat rules.d/c4c5a4dd2ab8e516499bd5755aaa59c5-firewall_rules
*filter
[0:0] -A INPUT --protocol tcp --destination-port 8777 -j ACCEPT
[0:0] -A INPUT --protocol tcp --destination-port 10050 -j ACCEPT
COMMIT

[[email protected] firewall]#

[[email protected] firewall]# cat iptables-extras
*filter
[0:0] -A INPUT --protocol tcp --destination-port 8777 -j ACCEPT
[0:0] -A INPUT --protocol tcp --destination-port 10050 -j ACCEPT
COMMIT

*filter
[0:0] -A INPUT  -p tcp -m tcp --dport 8443 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 9443 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 2124 -j ACCEPT
COMMIT

[[email protected] firewall]#

###########################################################################

[[email protected] firewall]# cat rules.d/e45b76553f4cee8322880ff02a7f2b5f-listen_ports
*filter
[0:0] -A INPUT  -p tcp -m tcp --dport 8443 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 9443 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 2124 -j ACCEPT
COMMIT

[[email protected] firewall]#

[[email protected] firewall]# cat rules.d/c4c5a4dd2ab8e516499bd5755aaa59c5-firewall_rules
*filter
[0:0] -A INPUT --protocol tcp --destination-port 8777 -j ACCEPT
[0:0] -A INPUT --protocol tcp --destination-port 10050 -j ACCEPT
COMMIT

[[email protected] firewall]#

[[email protected] firewall]#  cat iptables-extras
*filter
[0:0] -A INPUT --protocol tcp --destination-port 8777 -j ACCEPT
[0:0] -A INPUT --protocol tcp --destination-port 10050 -j ACCEPT
COMMIT

*filter
[0:0] -A INPUT  -p tcp -m tcp --dport 8443 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 9443 -j ACCEPT
[0:0] -A INPUT  -p tcp -m tcp --dport 2124 -j ACCEPT
COMMIT

[[email protected] firewall]#

############################################################################

 

But when start the gateway, the node editex053  doesn't configure the port 10050

And we put manually in iptables to work the zabbix agent.

 

In the file iptables-combined we can see a difference:

[[email protected] firewall]# cat iptables-combined
# Generated by iptables-save v1.4.21 on Fri Oct 15 22:09:13 2021
*filter
:INPUT DROP [46:1472]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [179329:17804176]
:badflags - [0:0]
:portdrop - [0:0]
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

[...]

[[email protected] firewall]# grep 10050 iptables-combined
[[email protected] firewall]#

 

[[email protected] firewall]# cat iptables-combined
# Layer 7 supplied iptables config for the API Gateway Appliance
# /etc/sysconfig/iptables
# Modification of this file is not recommended
# as our system manipulates these rules live
#
# Design:
# This is a drop all system
#
# If the port and/or interface doesn't explicitly allow the packet

[...]

[[email protected] firewall]# grep 10050 iptables-combined
[0:0] -A INPUT --protocol tcp --destination-port 10050 -j ACCEPT

[[email protected] firewall]#

So, it seems that the iptables in the gateway that doesn't open the 10050 port wasn't generated by the gateway and doesn't have the port 10050 rule

I think it could be caused by a manually change in iptables, but is there a way to fix this?

In order to monitoring runs well we needed to add the port manually,  but every time the gateway is restarted the port 10050 disappears from Iptables and we need to put manually again.

 

Cause

The "iptables-save" tool seems to remove read permissions from the /etc/sysconfig/iptables file and it became readable only by the root user (and maybe this is why the ssg on restart wasn't able to use it).

Environment

Release : 10.0

Component :

Resolution

1. copy from working env /etc/sysconfig/iptables 


2. do a backup of the file on the problematic server.

It also backs up the old iptables to /etc/sysconfig/iptables.save 


3. copy and paste the iptables file on that folder. (/etc/sysconfig/iptables) on non working server.

4. add the proper permission to the file :

  run "chmod +r /etc/sysconfig/iptables" 

5. Do not need to reboot server. However if you want to test the change, reboot gateway server and it will maintain persistence of the iptables configuration after restart.

Additional Information

1) if  used :
iptables-save > /etc/iptablesRules.v2

Even after restarting the computer the following example helps to reload the rules from the saved file.

iptables-restore < /etc/iptablesRule.v2

2) iptables Service for RedHat Enterprise Linux (RHEL) and CentOS


RHEL/CentOS also offer simple methods to permanently save iptables rules for IPv4 and IPv6.
There is a service called "iptables". This must be enabled.

# chkconfig --list | grep iptables
  iptables        0:off 1:off 2:on 3:on 4:on 5:on 6:off


# chkconfig iptables on


The rules are saved in the file /etc/sysconfig/iptables for IPv4 and in the file /etc/sysconfig/ip6tables for IPv6. 

You may also use the init script in order to save the current rules.

# service iptables save