Things to check when your IPtables firewalls rules won't load after a reboot - CentOS

If you find that your IPtables rules aren't loading at all after you reboot your machine, there are a few simple things to check.

chkconfig --list|grep iptables

This command will show you if your rules are set to load on a reboot and at what runlevel. The output will typically look something like this:

iptables           0:off    1:off    2:on    3:on    4:on    5:on    6:off

If those settings don't look okay, you can quickly enable iptables to start after a reboot with this command:

chkconfig iptables on

Now if you run the chkconfig --list command again, you should see iptables set to load.

What happens if everything looks like it should load on bootup, but that isn't happening. Check to make sure your IPtables configuration file: /etc/sysconfig/iptables does NOT include any hostnames and only includes IP addresses.

While a hostname inside of the /etc/sysconfig/iptables file is valid syntax and you won't get any errors if you put a hostname inside of the file it will prevent your firewall rules from loading after a reboot. Why is that? you ask.

The reason for this is because the IPtables rules are started before networking starts when using CentOS, RHEL and probably a number of other distros. This makes sense, because you want your firewall in place before your networking comes on-line. The problem here is that because of this, there's no way for IPtables to convert your hostname inside of the configuration file into an IP address since networking isn't turned on yet. After your machine is booted up, this conversion process works without issue since networking is already started and the IPtables service can convert any hostnames you put inside of your /etc/sysconfig/iptables configuration.

What's the solution for this? Well, there are a couple of solutions to this problem:

  • Do not use hostnames inside of the /etc/sysconfig/iptables file
  • Add a command such as service iptables restart after your machine is fully started up, such as in your /etc/rc.d/rc.local file.
  • If you're trying to keep your rules up to date with an IP that changes frequently, you could get fancy and create a cronjob to run a script that dynamically updates your firewall rules based on the results of an nslookup
  • Probably a number of other options as well, such as potentially re-ordering your startup scripts, but that seems messy and likely to break something else.
  • You could try an alternative firewall system, such as Shorewall, which appears to support using hostnames inside of it's rule file.