Cannot get iptables-restore to run during startup

neros · October 30, 2019, 7:34pm

Hi,
I am trying to add a webserver to my desktop fedora machine, and in order to do so I need the ports 80 and 443 to be open. I can achieve this by using iptables, and I saved my configuration to a file (/root/iptables_rules). When I reboot the computer, I can type iptables-restore < /root/iptables_rules to restore the previously set rules. However, when I put that command in /etc/rc.local it seems to have no effect. The permissions on /root/iptables_rules are -rw-r--r--. (user root:root) .
I have also tried putting the command in a systemd unit which runs after network, which also had no effect. Does anyone know what might be causing this/how I can fix it?

Thanks.

tjdoyle · October 30, 2019, 8:23pm

HI,

On systemd the rc-local service needs to be enabled:

sudo systemctl enable rc-local

Also the service file expects rc.local to be in:

/etc/rc.d/

Thanks Tom.

neros · October 30, 2019, 8:31pm

Thanks. systemctl says:
The unit files have no installation config (WantedBy = etc. ). This means they are not meant to be enabled using systemctl.

tjdoyle · October 30, 2019, 8:43pm

Hi,

Sorry I forgot, for some reason or another the package provided systemd unit file is missing the installation config. Easily fixed by creating a unit file in /etc/systemd/system, to prevent it being overwritten in future updates:

/etc/systemd/system/rc-local.service

should contain:

[Unit]
Description=/etc/rc.d/rc.local Compatibility
Documentation=man:systemd-rc-local-generator(8)
ConditionFileIsExecutable=/etc/rc.d/rc.local
After=network.target

[Service]
Type=forking
ExecStart=/etc/rc.d/rc.local start
TimeoutSec=0
RemainAfterExit=yes
GuessMainPID=no

[Install]
WantedBy=multi-user.target

Now issuing sudo systemctl enable rc-local should work.

Thanks Tom.

neros · October 30, 2019, 10:33pm

Ok now I’m getting /root/iptables_rules : permission denied (from systemctl status). It works when I run rc.local as root from the commandline

tjdoyle · October 30, 2019, 10:52pm

Hi,

Could try adding:

User=root
Group=root

To the start of the service section, shouldn’t be required; unit file works here, only difference is the rules file path:

/etc/sysconfig/iptables

Thanks Tom.

neros · October 30, 2019, 11:31pm

That still doesn’t work, but the systemctl start works when selinux is disabled

tjdoyle · October 30, 2019, 11:36pm

Hi,

So restoring the iptable rules now works, with selinux disabled? This makes sense, disabled on the system here as its running pihole.

Sorry selinux is beyond my knowledge.

Thanks Tom.

neros · October 31, 2019, 12:43am

Ok, thanks for your help so far

vgaetera · October 31, 2019, 7:20am

sudo dnf install iptables-services
sudo systemctl --now mask firewalld.service
sudoedit /etc/sysconfig/iptables /etc/sysconfig/ip6tables
sudo systemctl --now enable iptables.service ip6tables.service

neros · October 31, 2019, 4:54pm

Thank you, that worked! Is the firewall disabled now, and is that a problem?

vgaetera · November 1, 2019, 7:10am

Topic		Replies	Views
Systemd rc-local service doesn't work on Fedora 40 until selinux contexts are set on rc.local script Ask Fedora systemd , selinux	6	4199	May 17, 2024
Systemd in docker (moby-engine) not running with SELinux enforced Ask Fedora f35 , selinux , kinoite	3	1238	January 14, 2022
Systemd service is not started automatically Ask Fedora	2	364	May 18, 2021
Restart=unless-stopped do not work Ask Fedora silverblue-team , podman	4	1367	November 29, 2023
Problems with firewalld and Kickstart Project Discussion engineering	8	3321	September 17, 2019

Cannot get iptables-restore to run during startup

Related topics