DevHeads.net

Centos 7 - iptables service failed to start

Hello all:

I did a fresh install of CentOS 7 on a new machine.

I wrote /usr/local/bin/firewall.stop to remove all the firewall rules.
It contains this code:
# Flush the rules
/usr/sbin/iptables -F

# Set the default policies to accept
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT

I wrote /usr/local/bin/firewall.start to set the firewall rules.
It contains this code:
# IP definitions
ETH0_IP=a.b.c.d

# Load the FTP conntrak module
/usr/sbin/modprobe nf_conntrack_ftp

# Set the default policies to drop all packets
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT DROP
/usr/sbin/iptables -P FORWARD DROP

# Flush any existing rules
/usr/sbin/iptables -F

# Allow loopback traffic
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Allow icmp protocol packets
/usr/sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT

[ Additional allow rules here ]

If I run the firewall.start script manually, it sets the iptables rules
correctly.
If I run the firewall.stop script manually, it removes the iptables rules
correctly.

The problem comes in when I am trying to execute this from systemd.

I wrote /etc/systemd/system/firewall.service with this content:

[Unit]
Description=Iptables firewall
Before=network.target
Wants=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/firewall.start
ExecStop=/usr/local/bin/firewall.stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Now, when I run systemctl start firewall.service, I get this output:
Job for firewall.service failed. See 'systemctl status firewall.service' and
'journalctl -xn' for details.

If I do systemctl status firewall.status, it gives me:
firewall.status.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)

journalctl -xn gives me this output:
Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Starting Iptables
firewall...
-- Subject: Unit firewall.service has begun with start-up
-- Defined-By: systemd
-- Support: <a href="http://lists.freedesktop.org/mailman/listinfo/systemd-devel" title="http://lists.freedesktop.org/mailman/listinfo/systemd-devel">http://lists.freedesktop.org/mailman/listinfo/systemd-devel</a>

Comments

Re: Centos 7 - iptables service failed to start

By Adam King at 08/11/2014 - 07:39

Try systemctl stop firewalld, I had to disable that too

Adam King
IT Systems Administrator
Skipton Girls High School
01756 707600
<a href="http://www.sghs.org.uk" title="www.sghs.org.uk">www.sghs.org.uk</a>

Hello all:

I did a fresh install of CentOS 7 on a new machine.

I wrote /usr/local/bin/firewall.stop to remove all the firewall rules.
It contains this code:
# Flush the rules
/usr/sbin/iptables -F

# Set the default policies to accept
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT

I wrote /usr/local/bin/firewall.start to set the firewall rules.
It contains this code:
# IP definitions
ETH0_IP=a.b.c.d

# Load the FTP conntrak module
/usr/sbin/modprobe nf_conntrack_ftp

# Set the default policies to drop all packets
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT DROP
/usr/sbin/iptables -P FORWARD DROP

# Flush any existing rules
/usr/sbin/iptables -F

# Allow loopback traffic
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Allow icmp protocol packets
/usr/sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT

[ Additional allow rules here ]

If I run the firewall.start script manually, it sets the iptables rules
correctly.
If I run the firewall.stop script manually, it removes the iptables rules
correctly.

The problem comes in when I am trying to execute this from systemd.

I wrote /etc/systemd/system/firewall.service with this content:

[Unit]
Description=Iptables firewall
Before=network.target
Wants=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/firewall.start
ExecStop=/usr/local/bin/firewall.stop
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Now, when I run systemctl start firewall.service, I get this output:
Job for firewall.service failed. See 'systemctl status firewall.service' and
'journalctl -xn' for details.

If I do systemctl status firewall.status, it gives me:
firewall.status.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)

journalctl -xn gives me this output:
Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Starting Iptables
firewall...
-- Subject: Unit firewall.service has begun with start-up
-- Defined-By: systemd
-- Support: <a href="http://lists.freedesktop.org/mailman/listinfo/systemd-devel" title="http://lists.freedesktop.org/mailman/listinfo/systemd-devel">http://lists.freedesktop.org/mailman/listinfo/systemd-devel</a>

Re: Centos 7 - iptables service failed to start

By Stephen Harris at 08/10/2014 - 06:09

On Sat, Aug 09, 2014 at 10:21:33PM -0500, Neil Aggarwal wrote:
You are missing a first line:
#!/bin/sh

And that's the error expected.

Re: Centos 7 - iptables service failed to start

By Neil Aggarwal at 08/09/2014 - 23:30

Hey everyone:

I just realized I forgot to put #!/bin/sh at the top of my firewall
scripts. I added that and it is working perfectly fine now.

Sorry for any trouble.

Thanks,
Neil

Re: Centos 7 - iptables service failed to start

By Dennis J. at 08/10/2014 - 07:12

On 10.08.2014 05:30, Neil Aggarwal wrote:
You might want to look into using the regular iptables service instead
od custom firewall scripts. The service uses iptables-save and
iptables-restore which are designed to install all iptables rules
atomically.
If you end up with a typo in your script you end up with a partially
initialized firewall but iptables-restore first parses the entire rule
set and doesn't touch the current rules at all if it finds an error
making the process much more robust.

Regards,
Dennis