1 Topic by Chrissicom

  • Chrissicom
  • Member
  • Offline
  • Registered: 2015-05-26
  • Posts: 46

Topic: Fresh install of 0.9.7 - reboot - kills ip(6)tables rules

I have made a fresh installation of iRedMail 0.9.7 on two servers with CentOS 7. The servers themselves were fresh installs as well considering mail, database, etc. services.

However I have made my own configuration for iptables and ip6tables including necessary ports and thus answered during isntallation that I do not want to use iredmail firewall rules. After installation everything seemed fine, but after a reboot all my iptables rules are replaced which is a deal breaker of course, because it even breaks SSH since I am not running it on the default port (I luckily have a serial console I can connect to in such an emergency).
When I try to recreate my iptables rules, after the next reboot everything is gone again. How can I stop this from happening?

Here are the iptables rules that exist after installing iredmail and rebooting.

# ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_public
-N FWDI_public_allow
-N FWDI_public_deny
-N FWDI_public_log
-N FWDO_public
-N FWDO_public_allow
-N FWDO_public_deny
-N FWDO_public_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_public
-N IN_public_allow
-N IN_public_deny
-N IN_public_log
-N OUTPUT_direct
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i venet0 -g FWDI_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -o venet0 -g FWDO_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p ipv6-icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -i venet0 -g IN_public
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p ipv6-icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,163

Re: Fresh install of 0.9.7 - reboot - kills ip(6)tables rules

Chrissicom wrote:

After installation everything seemed fine, but after a reboot all my iptables rules are replaced

CentOS (and RHEL) will use its own firewalld rules, you need to write your own firewalld rules under /etc/firewalld/. Please check CentOS/RHEL document.

3 Reply by Chrissicom

  • Chrissicom
  • Member
  • Offline
  • Registered: 2015-05-26
  • Posts: 46

Re: Fresh install of 0.9.7 - reboot - kills ip(6)tables rules

Just posting to document my solution to the issue.

iRedMail installer installed firewalld and enabled the service which kills all previous firewall rules setup with iptables after a reboot. I have simply done:

systemctl disable firewalld
(CentOS 7)

Afterwards I did an iptables -F and run my own iptables script to install all the rules. Now everything runs fine. Personally I don't like firewalld to manage my iptables rules, because I find it to be totally intransparent.