Fun with iptables

I recently setup a CentOS 6.3 server on Linode.com. One of the first things I wanted to do was lock it down with iptables. Unfortunately iptables was not starting cleanly. Specifically, It was failing here:

Iptables Error - Setting Chains To Policy ACCEPT: Security Raw Nat Mangle Filter [FAILED]

It turns out that was happening due to the paravirt kernel having a “security” chain compiled into it, and the default “iptables” init script included with CentOS does not know how to handle it.

After a bit of searching I found a patch for the init script, posted by one of the Linode support guys. The original link was dead, but further digging found another copy. It was created for CentOS 5, but worked fine with CentOS 6. So here it goes:

  • Create a file named centos.iptables.patch that contains:
--- 5350.orig.sh 2011-05-27 19:58:32.000000000 +0100
+++ 5350.sh 2011-05-27 19:57:32.000000000 +0100
@@ -120,6 +120,12 @@
 for i in $tables; do
 echo -n "$i "
 case "$i" in
+ security) 
+ $IPTABLES -t security -P INPUT $policy \
+ && $IPTABLES -t security -P OUTPUT $policy \
+ && $IPTABLES -t security -P FORWARD $policy \
+ || let ret+=1
+ ;; 
 $IPTABLES -t raw -P PREROUTING $policy \
 && $IPTABLES -t raw -P OUTPUT $policy \
  • Run (as root):
patch -u /etc/init.d/iptables centos.iptables.patch

Note: “patch needs to be installed using “yum install patch.”

banner ad

Comments are closed.