So I’m trying this lab, but I’m unable to found any service related to iptables, I mean if I do sudo systemctl status iptables or sudo systemctl status firewalld I can’t see any service, obviously I installed iptables.
As I Know after installation the service should be available, but here is not the case. Please can someone clarify me this issue ? I’m not sure if I need to create the service, mostly I don’t think so.
Can you share more details on what exactly you have done?
Hi @Srikanth_Reddy I made all the same in the three app servers:
sudo dnf install iptables -y
sudo iptables -F #to flush previous configs
sudo iptables -A INPUT -d tcp --dport 6300 -s "The LBR ip address" -j ACCEPT
sudo iptables -A INPUT -d udp --dport 6300 -s "The LBR ip address" -j ACCEPT
sudo iptables -A INPUT -d tcp --dport 6300 -j REJECT
sudo iptables -A INPUT -d udp --dport 6300 -j REJECT
sudo /sbin/iptables-save #To save iptables config
but after that the platform is giving me this message:
rule was not added permanently on App Server 1
So the firewall config seems correct, but by some reason it’s not saving the config permanently. I know that way works, do you think should I use iptables-save > /etc/sysconfig/iptables ?
install iptables-services package, then enable and start the service. Add necessary rules and save it.
iptables-save saves the rules to stdout but doesn’t persist them unless redirected or used with iptables-services .
so to save the rules I can redirect the output of iptables-save to /etc/sysconfig/iptables and should work ?
Can you elaborate more in using iptables-saves with iptables-services please ? why with the package iptables doesn’t work ?
I tried the task again, validation was successful when I used just the iptables package, add the necessary rules and then run iptables-save > /etc/sysconfig/iptables. I was expecting it to fail actually. Maybe the validation is just checking if /etc/sysconfig/iptables file has expected content 
When the system reboots these rules are to be loaded from /etc/sysconfig/iptables which will be taken care by the service if we had used iptables-services package. I don’t think they would be loaded by default unless there is some service that does it on every reboot.
@Alistair_KodeKloud, could you please give your input here.
Note: This is all my understanding, I can be wrong.
I also made it now as you said and it works. As far as I know [I could be wrong]:
It seems that the iptables works like a “module” in the kernel, and the iptables-service works as a service, so it must be in someway controlled by systemd I guess. But in the case of iptables packages it seems it’s integrated as a module.
I don’t know why in the internet does said that for persistent configuration of iptables, is better to use iptables-services, don’t know why to be honest, since the kernel version seems to work fine, but I assume there must be a more deeply reason to be.
iptables is a command line utility.
If you only have the iptables package installed (without iptables-services ), adding rules with the iptables command and then manually saving them using iptables-save > /etc/sysconfig/iptables will NOT make those rules persistent after a reboot by default.
Why:
/etc/sysconfig/iptables only stores them on disk; it does NOT automatically reload these rules when the system boots./etc/sysconfig/iptables on startup is handled by the iptables-services package, which provides system services that read this file and restore the rules during system boot.So, for this task if we just use iptables and no custom script or systemd service to load the saved rules on reboot, ideally the validation should fail, but that’s not the case; which is why I’m wondering if there is some issue with validation. (Thinking out loud… maybe rebooting the app servers is not possible and this is just a work-around)
Note: file names/locations are for centos instances that are used in these tasks
TY for the information. So let’s hope anyone here clarify everything 
That is the responses have been getting for days of this particular tasks, pls I need more information to enable me scale through to the next phase
Couple of questions:
stapp01, stapp02, stapp03)The order of the iptable rules matter. So please check that as well.
Yes, absolutely!
All app servers was perfectly done and able to reach the apache with LBH only.
What is the next line of action as I’m unable to scale to the next task?
Did you check the order of the rules? It doesn’t seem right in the screenshot that you’d shared.
Yes I did,
Accept traffic only on port for LBRHost and reject for jumphost and others…
Here is the CLI used;
sudo iptables A INPUT -p tcp -s 172.16.238.10 --dport 5003 -j ACCEPT
sudo iptables A INPUT -p tcp --dport 5003 -j REJECT
sudo iptables -L -n
sudo service iptables save
sudo systemctk enable iptables
curl http://stapp01
Changes the ip addresses for each app server for differentt users.
Still gets stuck!
Can you clarify following points:
If you still feel you’ve done everything right, please feel free to ask for review if that option is available for this task.
That is the 1st ever step taken…after ssh into the jumphost site with Tony on stapp01 as the user, installation of iptables follows and in line with other CLI provided.
ssh tony@stapp01
sudo yum install iptables -y iptables-services
sudo systemctl start iptables
sudo systemctl enable iptabels
sudo iptables -L -n, too check for firewall rules if available
Ok, so you are logging in to the app servers from the jump host. Then install, start and enable iptables service on the app servers. I don’t see any issue up until this point.
However I would like to know why you were specifying app server ip(stapp01: 172.16.238.10) in your rules?
sudo iptables A INPUT -p tcp -s 172.16.238.10 --dport 5003 -j ACCEPT
That is the LBR Host server ip address now with stated port.
Got it!
Let me give it another shot.