I recently setup a CentOS 6.3 server on Linode.com. One of the first things I wanted to do was lock it down with iptables. Unfortunately iptables was not starting cleanly. Specifically, It was failing here:
Iptables Error - Setting Chains To Policy ACCEPT: Security Raw Nat Mangle Filter [FAILED]
It turns out that was happening due to the paravirt kernel having a “security” chain compiled into it, and the default “iptables” init script included with CentOS does not know how to handle it.
After a bit of searching I found a patch for the init script, posted by one of the Linode support guys. The original link was dead, but further digging found another copy. It was created for CentOS 5, but worked fine with CentOS 6. So here it goes:
--- 5350.orig.sh 2011-05-27 19:58:32.000000000 +0100 +++ 5350.sh 2011-05-27 19:57:32.000000000 +0100 @@ -120,6 +120,12 @@ for i in $tables; do echo -n "$i " case "$i" in + security) + $IPTABLES -t security -P INPUT $policy \ + && $IPTABLES -t security -P OUTPUT $policy \ + && $IPTABLES -t security -P FORWARD $policy \ + || let ret+=1 + ;; raw) $IPTABLES -t raw -P PREROUTING $policy \ && $IPTABLES -t raw -P OUTPUT $policy \
patch -u /etc/init.d/iptables centos.iptables.patch
Jay Everson has over 20 years experience supporting production infrastructure and software R&D Labs. He has 12+ years experience in management and has also spent time in Software Engineer, Infrastructure Architect and Team Lead roles.
