How do I disable iptables on RHEL6?

[dyn_ares]

Hi,

Stupid question isn't it but I can't figure this one out..

1: Did chkconfig --level 12345 iptables off (and ip6tables too)
2: Did system-config-firewall and unclicked enable
3: Rebooted:

Dang the stuff is still there:
--
# /etc/init.d/iptables status

Table: mangle

Chain PREROUTING (policy ACCEPT)

num target prot opt source destination



[snip]

Chain POSTROUTING (policy ACCEPT)

num target prot opt source destination

1 CHECKSUM udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:68 CHECKSUM fill



[snip]

Chain POSTROUTING (policy ACCEPT)

num target prot opt source destination

1 MASQUERADE tcp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535

2 MASQUERADE udp -- 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535

3 MASQUERADE all -- 192.168.122.0/24 !192.168.122.0/24



[snip]

Table: filter

Chain INPUT (policy ACCEPT)

num target prot opt source destination

1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53

2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53

3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67

4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67



[snip]

---

Hmm what now...

4: Moved /etc/init.d/iptables and ip6tables to /root to really make sure it's disabled..
5: Moved /etc/sysconfig/iptables to /etc/sysconfig/iptables.old

Reboot

Darn the table is still there:

# /root/iptables status

Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination

[snip]

Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67

[snip]
----

It even recreated /etc/sysconfig/iptables which I previously removed..

Hmm so now how do I get rid of it so I get

# /root/iptables status

iptables: Firewall is not running.


Next time I reboot.. I'm goiing crazy even check the initrd image but nothing...

Sincerely Dyna

[Mudgen]

That looks like virtual bridge interface stuff in your rules at the top (192.168.122.0/24). I see similar on my Fedora 14 VM hosts, even with iptables chkconfig'ed off. Are you running qemu or other virtual machines? Or have a bridge interface like virbr0 for whatever reason?

What are you trying to fix, functionally?

[Mudgen]

Poking further, I can't seem to get to a state where I don't have at least an empty FILTER table as indicated in /proc/net/ip_tables_names. Reading the init script, it looks like you'll never get the "not running" status message as long as that's the case. Again, that's Fedora 14, not RHEL6. I have no RHEL6 machines as yet, just 4 and 5.

Looks like the reappearance of /etc/sysconfig/iptables may have something to do with settings in /etc/sysconfig/iptables-config.

Good luck.

[dyn_ares]

Poking further, I can't seem to get to a state where I don't have at least an empty FILTER table as indicated in /proc/net/ip_tables_names. Reading the init script, it looks like you'll never get the "not running" status message as long as that's the case. Again, that's Fedora 14, not RHEL6. I have no RHEL6 machines as yet, just 4 and 5.

Looks like the reappearance of /etc/sysconfig/iptables may have something to do with settings in /etc/sysconfig/iptables-config.

Good luck.

Hi

Thanks for the posts.. I don't (as far as I know) any qemu or similar stuff running will double check it although. The /etc/sysconfig/iptables-config has a disabled entry so I hope that should not make it appear so to say... Will poke around further on monday when I can sit on the console bring up the network manually to see exactly what is turning this stuff on..

Cheers Dyna

[Mudgen]

Do please post back on what you find. I'm also still interested in why you need the service stopped as opposed to having it running with no rules.

[ni_boy]

Could be selinux playing with your head...

I'd leave iptables running but just accepting rather than off as grey.. suggested.

Try this:

1. Disable SELinux (/etc/selinux/config or "setup" or "system-config-security")

2. reboot

3. Run following commands:

Code:

iptables -F
iptables -F nat
iptables -F mangle
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables-save

4. reboot & see what you get.

If all good then enable selinux again & reboot.

[dyn_ares]

Found the issue..

It's is libvirtd that is starting up the firewall, if you disable libvirtd (chkconfig off) then it will not start..

Cheers Dyna