How to disable firewall in RHEL 6.x permanently

D

Digital Viper-X-

[H]F Junkie
Joined
Dec 9, 2000
Messages
15,116
I have a redhat 6 test cluster, I need to disable the firewall on all of the nodes.

I have tried using chkconfig, and it doesn't seem to stick. Any other way?
"chkconfig iptables off" is what I tried
 
chkconfig will set the behavior for boot, but won't change the current running state. From your command, upon reboot, I'd expect the iptables init script to not run. You can review the state of all the services and what runlevels they'll fire on with just chkconfig.

To clear and stop iptables on a running system, try the following
Code: 
root@hostname:~> /etc/init.d/iptables stop
root@hostname:~> /etc/init.d/ip6tables stop

You could interrogate it further with the iptables command directly.
Code: 
root@hostname:~> iptables --list INPUT

Substitute your chain of choice for INPUT.
 
Frobozz said:
chkconfig will set the behavior for boot, but won't change the current running state. From your command, upon reboot, I'd expect the iptables init script to not run. You can review the state of all the services and what runlevels they'll fire on with just chkconfig.

To clear and stop iptables on a running system, try the following
Code: 
root@hostname:~> /etc/init.d/iptables stop
root@hostname:~> /etc/init.d/ip6tables stop

You could interrogate it further with the iptables command directly.
Code: 
root@hostname:~> iptables --list INPUT

Substitute your chain of choice for INPUT.
Click to expand...

Sorry, I should have been clear, I already disabled it with service iptables stop, (and iptables6 stop) chkconfig, is not persisting on reboot, that's the problem.
 
perhaps check the file:

/etc/sysconfig/system-config-firewall

Here's the contents of mine (iptables enabled)

# Configuration file for system-config-firewall

--enabled
--port=161:udp
--service=dns
--service=ssh

Perhaps try setting that first line to --disabled
 
Digital Viper-X- said:
Sorry, I should have been clear, I already disabled it with service iptables stop, (and iptables6 stop) chkconfig, is not persisting on reboot, that's the problem.
Click to expand...
Yeah. Now you're into more investigating then. The following may still be more basic than what you're looking for though. :D

First stop would be to run chkconfig and make sure the saved behavior is indeed correct for your run level. Sometimes you can get tripped up on runlevel if you're usually SSH'd into some box and don't have the obviousness of a GUI staring at you. :D
3 should be off if run level 3, 5 should be off if run level 5, etc..
Code: 
root@hostname:~> chkconfig |grep iptables
iptables       	0:off	1:off	2:off	3:off	4:off	5:off	6:off

After a boot, check if you're actually getting some IPTables rules set.
Code: 
root@hostname:~> iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
If you have any entries showing, then you know it's in your init scripts... somewhere.
I'd take a look at /etc/rc.local and see if something was added there. Then review your scripts in /etc/init.d/. It'd be worth checking over /var/log/boot.log to see if you can tell where it's firing.

If it's empty (as above), and your cluster still does not communicate, I'd give SELinux a cursory check with the 'sestatus' command. When it blocks processes, they can error out in ways that don't really lead you to the cause.
 
service iptables stop
service ip6tables stop
chkconfig --level 123456 iptables off
chkconfig --level 123456 ip6tables off
 
acascianelli said:
service iptables stop
service ip6tables stop
chkconfig --level 123456 iptables off
chkconfig --level 123456 ip6tables off
Click to expand...

Can you explain the --levels? it already shows as off btw.


Code: 
-bash-4.1# chkconfig | grep iptables
iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off
 
Last edited:
Frobozz said:
Yeah. Now you're into more investigating then. The following may still be more basic than what you're looking for though. :D

First stop would be to run chkconfig and make sure the saved behavior is indeed correct for your run level. Sometimes you can get tripped up on runlevel if you're usually SSH'd into some box and don't have the obviousness of a GUI staring at you. :D
3 should be off if run level 3, 5 should be off if run level 5, etc..
Code: 
root@hostname:~> chkconfig |grep iptables
iptables       	0:off	1:off	2:off	3:off	4:off	5:off	6:off

After a boot, check if you're actually getting some IPTables rules set.
Code: 
root@hostname:~> iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
If you have any entries showing, then you know it's in your init scripts... somewhere.
I'd take a look at /etc/rc.local and see if something was added there. Then review your scripts in /etc/init.d/. It'd be worth checking over /var/log/boot.log to see if you can tell where it's firing.

If it's empty (as above), and your cluster still does not communicate, I'd give SELinux a cursory check with the 'sestatus' command. When it blocks processes, they can error out in ways that don't really lead you to the cause.
Click to expand...


I Checked the boot log, no mention of iptables in there, also checked init.d , only the iptables script is there, but I don't see it being run anywhere ? it's not in /etc/rc.local either.

I'm confused now :)
SELINUX is disabled. just verified again , is there anything else that can start the firewall after a reboot?
 
Digital Viper-X- said:
Can you explain the --levels? it already shows as off btw.


Code: 
-bash-4.1# chkconfig | grep iptables
iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off
Click to expand...

They're runlevels, 0 through 6.

0 - halt (Do NOT set initdefault to this)
1 - Single user mode
2 - Multiuser, without NFS (The same as 3, if you do not have networking)
3 - Full multiuser mode
4 - unused
5 - X11
6 - reboot (Do NOT set initdefault to this)

Are you sure it's still running? What does a "service iptables status"? IPTables is built into the kernel on RHEL, so you can't completely disable it unless you prevent the module from loading. But still, stopping the service from running should prevent it from enforcing any rules.

Triple check that SELinux is either disabled or in permissive mode with "sestatus".
 
Last edited:
acascianelli said:
They're runlevels, 0 through 6.

0 - halt (Do NOT set initdefault to this)
1 - Single user mode
2 - Multiuser, without NFS (The same as 3, if you do not have networking)
3 - Full multiuser mode
4 - unused
5 - X11
6 - reboot (Do NOT set initdefault to this)

Are you sure it's still running? What does a "service iptables status"? IPTables is built into the kernel on RHEL, so you can't completely disable it unless you prevent the module from loading. But still, stopping the service from running should prevent it from enforcing any rules.

Triple check that SELinux is either disabled or in permissive mode with "sestatus".
Click to expand...

Code: 
[B]-bash-4.1# sestatus
[/B]SELinux status:                 disabled


Code: 
[B]-bash-4.1# cat /etc/selinux/config
[/B]
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted


After reboot.

Code: 
[B]-bash-4.1# service iptables status
[/B]Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Code: 
[B]-bash-4.1# service iptables stop
[/B]iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
-bash-4.1# service iptables status
iptables: Firewall is not running.

and chkconfig (All in the same 2 minutes :) )
Code: 
-bash-4.1# chkconfig | grep iptables
iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off
 
Is selinux still disabled after a reboot?

From everything you've shown, iptables and selinux both look to be completely inactive. Even after a reboot. This is how I've disabled them on RHEL 6 for years.
 
Last edited:
yes, Selinux stays disabled. Iptables is active after a reboot, I know because nodes begin to have communication issues :).

and it shows it as active until I kill it. Disabling the firewall works properly on my other RHEL systems, which is weird. :(
 
Digital Viper-X- said:
yes, Selinux stays disabled. Iptables is active after a reboot, I know because nodes begin to have communication issues :).

and it shows it as active until I kill it. Disabling the firewall works properly on my other RHEL systems, which is weird. :(
Click to expand...

Got a script to start it somewhere in etc/rc* ?
 
Sometimes, I just end up removing those pesky services from starting. chkconfig --del service.
 
Perhaps a hacky workaround/Band-Aid.

Why not add a single "accept all" rule to iptables on the affected machines?

iptables -I INPUT -j ACCEPT


That way, if iptables is running, it won't interfere with connections.
 
I have no clue why turning it off in chkconfig isn't working, but as an alternative you can set the default policy, flush the input chain and then save the config. This way even if it starts your firewall isn't stopping anything. (Repeat if necessary for FORWARD and OUTPUT chains.)


(as root)
Code: 
iptables -P INPUT ACCEPT
iptables -F INPUT 
service iptables save
 
You must log in or register to reply here.
Back
Top