Score:0

iptables doesn't seem to be stopped

aw flag

I have a CentOS 7 computer, which originally uses iptables as its firewall configuration tool.

The computer has a docker container that listens to port 10079.

I want to use firewalld to replace iptables.

Both firewalld and iptables run outside of the docker container. I don't run them inside the container.

So I run the following commands

$ systemctl stop iptables
# disable iptables so that it doesn't start at next system reboot.
$ systemctl disable iptables

$ systemctl start firewalld
$ systemctl enable firewalld


$ firewall-cmd --list-services
dhcpv6-client ssh

As you can see from the output firewall-cmd --list-services command, I only have ssh, and dhcpv6-client services enabled.

However, one thing that I feel strange is that I can still access the server through port 10079.

I thought that the rules of the chains of the iptables would become invalid after running systemctl stop iptables command.

But I was wrong. Because I can still access a service on the computer through port 10079.

Why can I still access port 10079 after running systemctl stop iptables command?

Here're the status of iptables and firewalld

$ systemctl status iptables
● iptables.service - IPv4 firewall with iptables
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead) since Fri 2021-06-18 16:56:38 CST; 47min ago
  Process: 18324 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
  Process: 18220 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 18220 (code=exited, status=0/SUCCESS)

Jun 18 16:56:22 foo.my-company.com systemd[1]: Starting IPv4 firewall with iptables...
Jun 18 16:56:22 foo.my-company.com iptables.init[18220]: iptables: Applying firewall rules: [  OK  ]
Jun 18 16:56:22 foo.my-company.com systemd[1]: Started IPv4 firewall with iptables.
Jun 18 16:56:38 foo.my-company.com systemd[1]: Stopping IPv4 firewall with iptables...
Jun 18 16:56:38 foo.my-company.com iptables.init[18324]: iptables: Setting chains to policy ACCEPT: nat mangle security raw fil...OK  ]
Jun 18 16:56:38 foo.my-company.com iptables.init[18324]: iptables: Flushing firewall rules: [  OK  ]
Jun 18 16:56:38 foo.my-company.com systemd[1]: Stopped IPv4 firewall with iptables.
Hint: Some lines were ellipsized, use -l to show in full.
$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2021-06-18 16:56:38 CST; 48min ago
     Docs: man:firewalld(1)
 Main PID: 18325 (firewalld)
    Tasks: 2
   Memory: 26.0M
   CGroup: /system.slice/firewalld.service
           └─18325 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Jun 18 16:56:38 foo.my-company.com systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 18 16:56:38 foo.my-company.com systemd[1]: Started firewalld - dynamic firewall daemon.
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure con...t now.
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-e06022...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-ee12e0...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-37072d...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-95db75...ain?).
Jun 18 16:56:39 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-d77a44...ain?).
Jun 18 16:56:40 foo.my-company.com firewalld[18325]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -...ain?).
Hint: Some lines were ellipsized, use -l to show in full.

It looks like that firewalld is started correctly, and iptables has been disabled.

Here's the content of the /var/log/firewalld when restarting my computer now:

2021-06-18 22:13:19 WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL ! --dst 127.0.0.0/8 -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.4.21: Couldn't load target `DOCKER':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -F DOCKER' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-ee12e0b3bd4b -o br-ee12e0b3bd4b -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:21 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-37072db2b0a2 -o br-37072db2b0a2 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-95db758dd575 -o br-95db758dd575 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-d77a4470f1ee -o br-d77a4470f1ee -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i br-e06022f15557 -o br-e06022f15557 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2021-06-18 22:13:22 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

The log content contains a lot of warnings about docker. Maybe this problem has something to do with docker.

Here's my current iptables setting.

$ iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (6 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.2           tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            192.168.208.2        tcp dpt:8005
ACCEPT     tcp  --  0.0.0.0/0            172.29.0.3           tcp dpt:8080
ACCEPT     tcp  --  0.0.0.0/0            172.20.0.3           tcp dpt:5432
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.3           tcp dpt:5432
ACCEPT     tcp  --  0.0.0.0/0            172.20.0.4           tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.21.0.4           tcp dpt:9000
ACCEPT     tcp  --  0.0.0.0/0            172.20.0.4           tcp dpt:22

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-2  all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (6 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (2 references)
target     prot opt source               destination         
FWDI_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (2 references)
target     prot opt source               destination         
FWDO_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_public (2 references)
target     prot opt source               destination         
IN_public_log  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_deny  all  --  0.0.0.0/0            0.0.0.0/0           
IN_public_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination         
jp flag
Dom
If you disable iptables, you may access to the port 10079 if firewalld is not started correctely. Check the logs : you may see if there is an error.
Brian avatar
aw flag
Thank you for your information. Do you mean running `journalctl -u firewalld.service` to see the logs?
jp flag
Dom
I never use journalctl, but you have found them. You must correct the warnings of firewalld to enable your new firewall. Firewalld doesn't start correctely : there is 8 COMMAND_FAILED !
Brian avatar
aw flag
But according to this [post](https://support.plesk.com/hc/en-us/articles/360007029113-Docker-startup-on-firewalld-Warning-COMMAND-FAILED-No-chain-target-match-by-that-name), the error message `WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).` can be ignored.
Brian avatar
aw flag
The complete warning message can be found in `/var/log/firewalld`. My error message is the same as the one mentioned in that [post](https://support.plesk.com/hc/en-us/articles/360007029113-Docker-startup-on-firewalld-Warning-COMMAND-FAILED-No-chain-target-match-by-that-name).
Michael Hampton avatar
cz flag
Restart the computer.
Brian avatar
aw flag
@MichaelHampton, I can still access port 10079 after rebooting my computer.
Michael Hampton avatar
cz flag
Does firewalld still give the same warnings, or different ones?
Brian avatar
aw flag
The server is built in a docker container. I'm not sure if this problem has something to do with docker.
Brian avatar
aw flag
`firewalld` still gives the same warnings after rebooting.
Michael Hampton avatar
cz flag
What does this mean? "The server is built in a docker container."
Brian avatar
aw flag
@MichaelHampton, I mean the server is created by using a `docker-compose.yml` file. It's something like [this one](https://github.com/kassambara/wordpress-docker-compose).
Michael Hampton avatar
cz flag
But why are you trying to run firewalld inside the container? Of course that's not going to work.
Brian avatar
aw flag
`firewalld` is outside of the docker container.
Score:0
co flag

Firewalld adds a layer of abstraction on top of iptables in the kernel. While the systemctl stop iptables command may have stopped a user space utility for managing the chains, the kernel configuration appears to be unmodified by that (if I were to guess, stopping the service likely saves the chains to give you persistence in the settings between reboots).

Docker itself does a lot of management of the kernel's iptables settings to configure networking between containers and out to the host. In addition to creating bridge networks and virtual ethernet devices, there are also NAT rules created to allow containers to connect to the network as your host. And for port forwarding (from the host to the container), there is a combination of a user space docker-proxy process that listens and various forwarding rules. This is all configured automatically when you publish a port, and bypasses any filtering rules you configure in a tool like firewalld. You can see this in the FORWARD table where the various DOCKER table entries are created before the various *_ZONES entries.

If you want to setup firewall policies on published ports, the process is to use the DOCKER-USER table, and combine with conntrack to handle the mangling that NAT does. The result looks like:

# Drop external requests by default.
# This rule is first because these are each insert at the top of the chain
# so the first insert becomes the last rule run in the chain.
# By default the DOCKER-USER table contains a single RETURN entry for
# everything so other rules must be insert before this.
iptables -I DOCKER-USER -j DROP
# allow existing requests
iptables -I DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j RETURN
# allow inter-container requests
iptables -I DOCKER-USER -i br+ -j RETURN 
# allow request from docker to external
iptables -I DOCKER-USER -i docker+ -j RETURN
# allow anything to host port 5000
iptables -I DOCKER-USER -p tcp -m conntrack --ctorigdstport 5000 -j RETURN
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.