# IPTABLES not loading on startup > OPENRC?

## dlambeth

IPTables won't work on startup!

        After long deliberation I decided to move past the 2.6.20 kernel and get a new Gentoo installation going. However, I noticed they things have changed as far as things working the way they did before. I used to add "iptables" to my default runlevel, and it always worked great. But not, it does not appear to work right anymore. It does load up when booting, but from the LAN side of my firewall I cannot ping anything beyond the gateway.

        I also tried telling Webmin to load rules at system start, but that does not work either. I've tried everything under the sun that I can think of.

       iptables -L does show me that the rules were loaded, but they simply do not work. I have to manually run my firewall script (which works fine) before I can egress my firewall. Has anybody else seen this problem, I can't be having to manually start my firewall every time I reboot. I'm really wondering if the new implementation of OPENRC has something to to with this.

Someone????????????

----------

## Hu

The openrc scripts work fine for me.  Could you post the output of iptables-save in both the broken and working states and the output of cat -n /var/lib/iptables/rules-save ; cat -n /var/lib/ip6tables/rules-save ; cat -n /etc/conf.d/net ; rc-update show -v | nl?

----------

## dlambeth

 *Hu wrote:*   

> The openrc scripts work fine for me.  Could you post the output of iptables-save in both the broken and working states and the output of cat -n /var/lib/iptables/rules-save ; cat -n /var/lib/ip6tables/rules-save ; cat -n /etc/conf.d/net ; rc-update show -v | nl?

 

Thanks for the reply, I've pasted the two scripts for you. After Diff'ing them it appears they are different. Doing an "iptables -L" does show that rules are being loaded up on startup, but they don't seem to work. I have to run my "FIREWALL" script manually to get things to work.

[ WORKING ]#############################################################################

```

# Generated by iptables-save v1.4.10 on Sun Sep  4 09:04:52 2011

*raw

:PREROUTING ACCEPT [3618:402579]

:OUTPUT ACCEPT [1946:891992]

COMMIT

# Completed on Sun Sep  4 09:04:52 2011

# Generated by iptables-save v1.4.10 on Sun Sep  4 09:04:52 2011

*nat

:PREROUTING ACCEPT [16:1225]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i eth1 -p tcp -m tcp --sport 1025:65535 --dport 80 -j DNAT --to-destination 10.11.0.1:3128

-A POSTROUTING -o eth0 -m policy --dir out --pol ipsec -j ACCEPT

-A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source 10.10.0.100

-A POSTROUTING -s 10.11.0.0/16 -o eth0 -p tcp -m tcp --dport 22 -j MASQUERADE

-A POSTROUTING -s 10.11.0.0/16 -o eth0 -p udp -m udp --dport 53 -j MASQUERADE

-A POSTROUTING -s 10.11.0.0/16 -o eth0 -p tcp -m tcp --dport 80 -j MASQUERADE

-A POSTROUTING -s 10.11.0.0/16 -o eth0 -p tcp -m tcp --dport 443 -j MASQUERADE

-A POSTROUTING -s 10.11.0.0/16 -o eth0 -j LOG --log-prefix "fp=denied_packets:1 a=DROP "

COMMIT

# Completed on Sun Sep  4 09:04:52 2011

# Generated by iptables-save v1.4.10 on Sun Sep  4 09:04:52 2011

*mangle

:PREROUTING ACCEPT [211:32374]

:INPUT ACCEPT [87:6776]

:FORWARD ACCEPT [124:25598]

:OUTPUT ACCEPT [71:7832]

:POSTROUTING ACCEPT [189:32246]

COMMIT

# Completed on Sun Sep  4 09:04:52 2011

# Generated by iptables-save v1.4.10 on Sun Sep  4 09:04:52 2011

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:bad_packets - [0:0]

:bad_tcp_packets - [0:0]

:icmp_packets - [0:0]

:tcp_inbound - [0:0]

:tcp_outbound - [0:0]

:udp_inbound - [0:0]

:udp_outbound - [0:0]

-A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "

-A INPUT -s 10.10.0.100/32 -i eth0 -j DROP

-A INPUT -s 10.0.0.0/8 -i eth0 -j DROP

-A INPUT -s 192.168.0.0/24 -i eth0 -j DROP

-A INPUT -s 224.0.0.0/4 -i eth0 -j DROP

-A INPUT -s 240.0.0.0/4 -i eth0 -j DROP

-A INPUT -i lo -j ACCEPT

-A INPUT -j bad_packets

-A INPUT -d 224.0.0.1/32 -j DROP

-A INPUT -i eth0 -p esp -j ACCEPT

-A INPUT -s 10.11.0.0/16 -i eth1 -j ACCEPT

-A INPUT -s 10.11.0.0/16 -d 10.11.255.255/32 -p udp -j ACCEPT

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth0 -p tcp -j tcp_inbound

-A INPUT -i eth0 -p udp -j udp_inbound

-A INPUT -i eth0 -p icmp -j icmp_packets

-A INPUT -d 255.255.255.255/32 -j DROP

-A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "

-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "

-A FORWARD -i eth0 -j ACCEPT

-A FORWARD -i eth1 -j ACCEPT

-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "

-A FORWARD -j bad_packets

-A FORWARD -i eth1 -p udp -j udp_outbound

-A OUTPUT -p icmp -m state --state INVALID -j DROP

-A OUTPUT -s 127.0.0.1/32 -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -s 10.11.0.1/32 -j ACCEPT

-A OUTPUT -s 10.10.0.100/32 -o eth0 -j ACCEPT

-A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "

-A bad_packets -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "

-A bad_packets -m state --state INVALID -j DROP

-A bad_packets -p tcp -j bad_tcp_packets

-A bad_packets -j RETURN

-A bad_tcp_packets -i eth1 -p tcp -j RETURN

-A bad_tcp_packets -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "

-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

-A bad_tcp_packets -p tcp -j RETURN

-A icmp_packets -p icmp -f -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "

-A icmp_packets -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A icmp_packets -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "fp=icmp_packets:2 a=ACCEPT"

-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A icmp_packets -p icmp -j RETURN

-A tcp_inbound -s 10.11.0.0/16 -p tcp -j ACCEPT

-A tcp_inbound -s 10.10.0.0/16 -p tcp -m tcp --dport 22:55555 -j ACCEPT

-A tcp_inbound -s 168.215.165.176/29 -p tcp -m tcp --dport 22:55555 -j ACCEPT

-A tcp_inbound -p tcp -j RETURN

-A tcp_outbound -p tcp -j ACCEPT

-A udp_inbound -i eth0 -p udp -m udp --dport 137 -j DROP

-A udp_inbound -i eth0 -p udp -m udp --dport 138 -j DROP

-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A udp_inbound -s 10.10.0.0/16 -i eth0 -p udp -m udp --dport 500 -j ACCEPT

-A udp_inbound -s 168.215.165.176/29 -i eth0 -p udp -m udp --dport 500 -j ACCEPT

-A udp_inbound -p udp -j RETURN

-A udp_outbound -p udp -j ACCEPT

COMMIT

# Completed on Sun Sep  4 09:04:52 201

```

#####################################################################################

[NOT WORKING]

```

# Generated by iptables-save v1.4.10 on Sun Sep  4 09:02:33 2011

*raw

:PREROUTING ACCEPT [2903:327311]

:OUTPUT ACCEPT [1649:837152]

COMMIT

# Completed on Sun Sep  4 09:02:33 2011

# Generated by iptables-save v1.4.10 on Sun Sep  4 09:02:33 2011

*nat

:PREROUTING ACCEPT [767:65485]

:INPUT ACCEPT [22:1878]

:OUTPUT ACCEPT [44:3023]

:POSTROUTING ACCEPT [1:60]

-A PREROUTING -i eth1 -p tcp -m tcp --sport 1025:65535 --dport 80 -j DNAT --to-destination 10.11.0.1:3128

-A POSTROUTING -o eth0 -m policy --dir out --pol ipsec -j ACCEPT

-A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source 10.10.0.100

-A POSTROUTING -s 10.11.0.0/16 -o eth0 -p tcp -m tcp --dport 22 -j MASQUERADE

-A POSTROUTING -s 10.11.0.0/16 -o eth0 -p udp -m udp --dport 53 -j MASQUERADE

-A POSTROUTING -s 10.11.0.0/16 -o eth0 -p tcp -m tcp --dport 80 -j MASQUERADE

-A POSTROUTING -s 10.11.0.0/16 -o eth0 -p tcp -m tcp --dport 443 -j MASQUERADE

-A POSTROUTING -s 10.11.0.0/16 -o eth0 -j LOG --log-prefix "fp=denied_packets:1 a=DROP "

COMMIT

# Completed on Sun Sep  4 09:02:33 2011

# Generated by iptables-save v1.4.10 on Sun Sep  4 09:02:33 2011

*mangle

:PREROUTING ACCEPT [2721:313548]

:INPUT ACCEPT [1568:137749]

:FORWARD ACCEPT [541:123034]

:OUTPUT ACCEPT [1572:829148]

:POSTROUTING ACCEPT [2107:950998]

COMMIT

# Completed on Sun Sep  4 09:02:33 2011

# Generated by iptables-save v1.4.10 on Sun Sep  4 09:02:33 2011

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

:bad_packets - [0:0]

:bad_tcp_packets - [0:0]

:icmp_packets - [0:0]

:tcp_inbound - [0:0]

:tcp_outbound - [0:0]

:udp_inbound - [0:0]

:udp_outbound - [0:0]

-A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "

-A INPUT -s 10.10.0.100/32 -i eth0 -j DROP

-A INPUT -s 10.0.0.0/8 -i eth0 -j DROP

-A INPUT -s 192.168.0.0/24 -i eth0 -j DROP

-A INPUT -s 224.0.0.0/4 -i eth0 -j DROP

-A INPUT -s 240.0.0.0/4 -i eth0 -j DROP

-A INPUT -i lo -j ACCEPT

-A INPUT -j bad_packets

-A INPUT -d 224.0.0.1/32 -j DROP

-A INPUT -i eth0 -p esp -j ACCEPT

-A INPUT -s 10.11.0.0/16 -i eth1 -j ACCEPT

-A INPUT -s 10.11.0.0/16 -d 10.11.255.255/32 -p udp -j ACCEPT

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth0 -p tcp -j tcp_inbound

-A INPUT -i eth0 -p udp -j udp_inbound

-A INPUT -i eth0 -p icmp -j icmp_packets

-A INPUT -d 255.255.255.255/32 -j DROP

-A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "

-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "

-A FORWARD -i eth0 -j ACCEPT

-A FORWARD -i eth1 -j ACCEPT

-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "

-A FORWARD -j bad_packets

-A FORWARD -i eth1 -p udp -j udp_outbound

-A OUTPUT -p icmp -m state --state INVALID -j DROP

-A OUTPUT -s 127.0.0.1/32 -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -s 10.11.0.1/32 -j ACCEPT

-A OUTPUT -s 10.10.0.100/32 -o eth0 -j ACCEPT

-A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "

-A bad_packets -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "

-A bad_packets -m state --state INVALID -j DROP

-A bad_packets -p tcp -j bad_tcp_packets

-A bad_packets -j RETURN

-A bad_tcp_packets -i eth1 -p tcp -j RETURN

-A bad_tcp_packets -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "

-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

-A bad_tcp_packets -p tcp -j RETURN

-A icmp_packets -p icmp -f -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "

-A icmp_packets -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A icmp_packets -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "fp=icmp_packets:2 a=ACCEPT"

-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A icmp_packets -p icmp -j RETURN

-A tcp_inbound -s 10.11.0.0/16 -p tcp -j ACCEPT

-A tcp_inbound -s 10.10.0.0/16 -p tcp -m tcp --dport 22:55555 -j ACCEPT

-A tcp_inbound -s 168.215.165.176/29 -p tcp -m tcp --dport 22:55555 -j ACCEPT

-A tcp_inbound -p tcp -j RETURN

-A tcp_outbound -p tcp -j ACCEPT

-A udp_inbound -i eth0 -p udp -m udp --dport 137 -j DROP

-A udp_inbound -i eth0 -p udp -m udp --dport 138 -j DROP

-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A udp_inbound -s 10.10.0.0/16 -i eth0 -p udp -m udp --dport 500 -j ACCEPT

-A udp_inbound -s 168.215.165.176/29 -i eth0 -p udp -m udp --dport 500 -j ACCEPT

-A udp_inbound -p udp -j RETURN

-A udp_outbound -p udp -j ACCEPT

COMMIT

# Completed on Sun Sep  4 09:02:33 2011
```

----------

## dlambeth

I found the problem. Apparently the IPV4 forwarding is being set back to 0 every time I reboot. I put a command in the /etc/conf.d/local that enables the forwarding at bootup. I'm not sure why this changed, but at least it's working now.

Thanks,

----------

## Hu

It may have changed if you accepted an update to /etc/sysctl.conf.  You can assign it there if you want it to be enabled at startup.

----------

## dlambeth

 *Hu wrote:*   

> It may have changed if you accepted an update to /etc/sysctl.conf.  You can assign it there if you want it to be enabled at startup.

 

Got it! Thanks.

----------

## canit0

 *Hu wrote:*   

> It may have changed if you accepted an update to /etc/sysctl.conf.  You can assign it there if you want it to be enabled at startup.

 

I had the same problem, and I completely overlooked the sysctl.conf file. Anyways, thank you for the help.

----------

