Hello all: I did a fresh install of CentOS 7 on a new machine. I wrote /usr/local/bin/firewall.stop to remove all the firewall rules. It contains this code: # Flush the rules /usr/sbin/iptables -F # Set the default policies to accept /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -P FORWARD ACCEPT I wrote /usr/local/bin/firewall.start to set the firewall rules. It contains this code: # IP definitions ETH0_IP=a.b.c.d # Load the FTP conntrak module /usr/sbin/modprobe nf_conntrack_ftp # Set the default policies to drop all packets /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P OUTPUT DROP /usr/sbin/iptables -P FORWARD DROP # Flush any existing rules /usr/sbin/iptables -F # Allow loopback traffic /usr/sbin/iptables -A INPUT -i lo -j ACCEPT /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT # Allow icmp protocol packets /usr/sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT /usr/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT [ Additional allow rules here ] If I run the firewall.start script manually, it sets the iptables rules correctly. If I run the firewall.stop script manually, it removes the iptables rules correctly. The problem comes in when I am trying to execute this from systemd. I wrote /etc/systemd/system/firewall.service with this content: [Unit] Description=Iptables firewall Before=network.target Wants=network.target [Service] Type=oneshot ExecStart=/usr/local/bin/firewall.start ExecStop=/usr/local/bin/firewall.stop RemainAfterExit=yes [Install] WantedBy=multi-user.target Now, when I run systemctl start firewall.service, I get this output: Job for firewall.service failed. See 'systemctl status firewall.service' and 'journalctl -xn' for details. If I do systemctl status firewall.status, it gives me: firewall.status.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) journalctl -xn gives me this output: Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Starting Iptables firewall... -- Subject: Unit firewall.service has begun with start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit firewall.service has begun starting up. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[2268]: Failed at step EXEC spawning /usr/local/bin/firewall.start: Exec format error -- Subject: Process /usr/local/bin/firewall.start could not be executed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- The process /usr/local/bin/firewall.start could not be executed and failed. -- -- The error number returned while executing this process is 8. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: firewall.service: main process exited, code=exited, status=203/EXEC Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Failed to start Iptables firewall. -- Subject: Unit firewall.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit firewall.service has failed. -- -- The result is failed. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Unit firewall.service entered failed state. Any ideas what is happening here? Thanks, Neil -- Neil Aggarwal, (972) 834-1565 We lend money to investors to buy or refinance single family rent houses. No origination fees, quick approval, no credit check.
Hey everyone:> The process /usr/local/bin/firewall.start could not be executed > and failed.I just realized I forgot to put #!/bin/sh at the top of my firewall scripts. I added that and it is working perfectly fine now. Sorry for any trouble. Thanks, Neil -- Neil Aggarwal, (972) 834-1565 We lend money to investors to buy or refinance single family rent houses. No origination fees, quick approval, no credit check.
On Sat, Aug 09, 2014 at 10:21:33PM -0500, Neil Aggarwal wrote:> Hello all: > > I did a fresh install of CentOS 7 on a new machine. > > I wrote /usr/local/bin/firewall.stop to remove all the firewall rules. > It contains this code: > # Flush the rules > /usr/sbin/iptables -FYou are missing a first line: #!/bin/sh> Aug 10 06:09:38 jamm23.jammconsulting.com systemd[2268]: Failed at step EXEC > spawning /usr/local/bin/firewall.start: Exec format errorAnd that's the error expected. -- rgds Stephen
Try systemctl stop firewalld, I had to disable that too Adam King IT Systems Administrator Skipton Girls High School 01756 707600 www.sghs.org.uk ----- Original Message ----- From: "Neil Aggarwal" <neil at JAMMConsulting.com> To: centos at centos.org Sent: Sunday, August 10, 2014 4:21:33 AM Subject: [CentOS] Centos 7 - iptables service failed to start Hello all: I did a fresh install of CentOS 7 on a new machine. I wrote /usr/local/bin/firewall.stop to remove all the firewall rules. It contains this code: # Flush the rules /usr/sbin/iptables -F # Set the default policies to accept /usr/sbin/iptables -P INPUT ACCEPT /usr/sbin/iptables -P OUTPUT ACCEPT /usr/sbin/iptables -P FORWARD ACCEPT I wrote /usr/local/bin/firewall.start to set the firewall rules. It contains this code: # IP definitions ETH0_IP=a.b.c.d # Load the FTP conntrak module /usr/sbin/modprobe nf_conntrack_ftp # Set the default policies to drop all packets /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P OUTPUT DROP /usr/sbin/iptables -P FORWARD DROP # Flush any existing rules /usr/sbin/iptables -F # Allow loopback traffic /usr/sbin/iptables -A INPUT -i lo -j ACCEPT /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT # Allow icmp protocol packets /usr/sbin/iptables -A INPUT -i eth0 -d $ETH0_IP -p icmp -j ACCEPT /usr/sbin/iptables -A OUTPUT -o eth0 -s $ETH0_IP -p icmp -j ACCEPT [ Additional allow rules here ] If I run the firewall.start script manually, it sets the iptables rules correctly. If I run the firewall.stop script manually, it removes the iptables rules correctly. The problem comes in when I am trying to execute this from systemd. I wrote /etc/systemd/system/firewall.service with this content: [Unit] Description=Iptables firewall Before=network.target Wants=network.target [Service] Type=oneshot ExecStart=/usr/local/bin/firewall.start ExecStop=/usr/local/bin/firewall.stop RemainAfterExit=yes [Install] WantedBy=multi-user.target Now, when I run systemctl start firewall.service, I get this output: Job for firewall.service failed. See 'systemctl status firewall.service' and 'journalctl -xn' for details. If I do systemctl status firewall.status, it gives me: firewall.status.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) journalctl -xn gives me this output: Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Starting Iptables firewall... -- Subject: Unit firewall.service has begun with start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit firewall.service has begun starting up. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[2268]: Failed at step EXEC spawning /usr/local/bin/firewall.start: Exec format error -- Subject: Process /usr/local/bin/firewall.start could not be executed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- The process /usr/local/bin/firewall.start could not be executed and failed. -- -- The error number returned while executing this process is 8. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: firewall.service: main process exited, code=exited, status=203/EXEC Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Failed to start Iptables firewall. -- Subject: Unit firewall.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit firewall.service has failed. -- -- The result is failed. Aug 10 06:09:38 jamm23.jammconsulting.com systemd[1]: Unit firewall.service entered failed state. Any ideas what is happening here? Thanks, Neil -- Neil Aggarwal, (972) 834-1565 We lend money to investors to buy or refinance single family rent houses. No origination fees, quick approval, no credit check. _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos