Anybody on here successfully get ipset iptables sets to work _after_ a reboot? My question on StackExchange http://unix.stackexchange.com/questions/149536/upon-bootup-all-iptables-are-lost-because-the-kernel-module-ip-set-is-not-loade Some of the things that need to be in place, otherwise iptables does not load: 1.) The kernel module ip_set needs to be loaded. 2.) The "sets" need to be created. 3.) Only after 1 and 2 succeed, dare start up iptables.
Eero Volotinen
2014-Aug-10 19:48 UTC
[CentOS] ipset module loaded at startup on CentOS 6.5
Is it really kernel module? 10.8.2014 22.18 kirjoitti "Rob Townley" <rob.townley at gmail.com>:> Anybody on here successfully get ipset iptables sets to work _after_ a > reboot? > My question on StackExchange > > http://unix.stackexchange.com/questions/149536/upon-bootup-all-iptables-are-lost-because-the-kernel-module-ip-set-is-not-loade > > Some of the things that need to be in place, otherwise iptables does not > load: > 1.) The kernel module ip_set needs to be loaded. > 2.) The "sets" need to be created. > 3.) Only after 1 and 2 succeed, dare start up iptables. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Eero Volotinen
2014-Aug-10 20:16 UTC
[CentOS] ipset module loaded at startup on CentOS 6.5
ipset is not kernel module, so do not try to load it as kernel or iptables module. -- Eero 2014-08-10 22:18 GMT+03:00 Rob Townley <rob.townley at gmail.com>:> Anybody on here successfully get ipset iptables sets to work _after_ a > reboot? > My question on StackExchange > > http://unix.stackexchange.com/questions/149536/upon-bootup-all-iptables-are-lost-because-the-kernel-module-ip-set-is-not-loade > > Some of the things that need to be in place, otherwise iptables does not > load: > 1.) The kernel module ip_set needs to be loaded. > 2.) The "sets" need to be created. > 3.) Only after 1 and 2 succeed, dare start up iptables. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
On 08/10/2014 02:18 PM, Rob Townley wrote:> Anybody on here successfully get ipset iptables sets to work _after_ a > reboot?Here's an init script that I wrote for CentOS 6. (systemd haters can take note of how much easier it would have been to write a unit file.) -- =======================================================================Ian Pilcher arequipeno at gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- =======================================================================-------------- next part -------------- #!/bin/bash # # ipset-state Restore ipset state # # chkconfig: 2345 07 93 # description: Restores (and saves) ipset state # # config: /etc/sysconfig/ipset-state # ### BEGIN INIT INFO # Provides: ipset-state # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: restore (and save) ipset state # Description: restore (and save) ipset state ### END INIT INFO # Source function library . /etc/init.d/functions STATE_FILE=/etc/sysconfig/ipset-state # only usable by root [ $EUID = 0 ] || exit 4 if [ ! -x /usr/sbin/ipset ]; then echo -n "ipset-state: /usr/sbin/ipset does not exist."; warning; echo exit 4 fi start() { touch /var/lock/subsys/ipset-state # Warn if sets already exist if [ -n "`/usr/sbin/ipset list -name`" ]; then echo -n "ipset-state: IP sets already exist."; warning; echo fi # Warn if there is no config file if [ ! -f "$STATE_FILE" ]; then echo -n "ipset-state: No saved IP set state to restore."; warning; echo return 0 fi echo -n "ipset-state: Loading saved IP set state: " /usr/sbin/ipset -exist restore < "$STATE_FILE" ret=$? [ $ret -eq 0 ] && success || failure echo return $ret } save() { echo -n "ipset-state: Saving IP set state: " /usr/sbin/ipset save > "$STATE_FILE" ret=$? [ $ret -eq 0 ] && success || failure echo return $ret } stop() { save ret=$? rm -f /var/lock/subsys/ipset-state return $ret } status() { echo "ipset-state: IP sets:" /usr/sbin/ipset list -name | /bin/sed 's/^/ /' if [ -f /var/lock/subsys/ipset-state ]; then echo "ipset-state: Subsystem locked." return 0 else echo "ipset-state: Subsystem NOT locked." return 3 fi } restart() { echo -n "ipset-state: Flushing all IP sets: " /usr/sbin/ipset flush && success || failure echo echo -n "ipset-state: Destroying all IP sets: " /usr/sbin/ipset -quiet destroy && success || failure echo start return $? } case "$1" in start) [ -f /var/lock/subsys/ipset-state ] && exit 0 start RETVAL=$? ;; stop) stop RETVAL=$? ;; restart|reload|force-reload) restart RETVAL=$? ;; condrestart|try-restart) [ ! -f /var/lock/subsys/ipset-state ] && exit 0 restart RETVAL=$? ;; status) status RETVAL=$? ;; save) save RETVAL=$? ;; *) echo "Usage: ipt-state {start|stop|restart|condrestart|status|save}" RETVAL=2 ;; esac exit $RETVAL