Many CentOS 7 administrators encounter the frustrating scenario where carefully configured iptables rules vanish after a system reboot. The specific case of opening port 3000 for TCP traffic demonstrates this common pain point:
iptables -I INPUT -p tcp --dport 3000 -j ACCEPT
service iptables save
chkconfig iptables onCentOS 7's transition to systemd affects how iptables rules persist. While chkconfig iptables on enables the service, we need to ensure proper rule preservation through these mechanisms:
- The traditional
/etc/sysconfig/iptablesfile - Systemd service unit configuration
- Proper saving methodology
Here's the full working approach to make rules permanent:
# Add your rule
iptables -I INPUT -p tcp --dport 3000 -j ACCEPT
# Save rules using the correct method
iptables-save > /etc/sysconfig/iptables
# Alternative modern approach
service iptables save
# Enable persistence
systemctl enable iptables
systemctl start iptables
# Verify persistence file
cat /etc/sysconfig/iptables | grep 3000If rules still disappear, check these critical components:
# Verify service status
systemctl status iptables
# Check file permissions
ls -l /etc/sysconfig/iptables
# Examine boot sequence
journalctl -b | grep iptables
# Alternative save location (for some installations)
iptables-save > /etc/iptables.rulesFor complex environments, consider these robust approaches:
# Create custom systemd service
cat > /etc/systemd/system/iptables-load.service <For firewall-cmd users transitioning to iptables:
# Stop and mask firewalld
systemctl stop firewalld
systemctl mask firewalld
# Install iptables services if missing
yum install iptables-servicesMany CentOS 7 administrators encounter this frustrating scenario: you carefully configure your firewall rules using iptables, save them, enable the service, yet after reboot - poof! - your custom rules vanish while the service itself remains enabled.
The standard approach seems logical:
iptables -I INPUT -p tcp --dport 3000 -j ACCEPT
service iptables save
chkconfig iptables onYet despite seeing the confirmation message "iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]", the rules don't persist. Here's why:
CentOS 7's shift to systemd created some gray areas in service management. While chkconfig iptables on enables the service, it doesn't guarantee rule persistence because:
- The iptables service might load before network interfaces are up
- Firewalld might interfere if installed
- The save/restore mechanism isn't properly triggered
Here's the bulletproof method I've used in production environments:
# 1. Add your rule
iptables -I INPUT -p tcp --dport 3000 -j ACCEPT
# 2. Save current rules to the persistent location
iptables-save > /etc/sysconfig/iptables
# 3. Create and enable a custom systemd service
cat > /etc/systemd/system/iptables-persistent.service << EOF
[Unit]
Description=iptables persistent configuration
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore < /etc/sysconfig/iptables
[Install]
WantedBy=multi-user.target
EOF
# 4. Enable and start the service
systemctl daemon-reload
systemctl enable iptables-persistent
systemctl start iptables-persistentAfter implementing this solution:
# Check rules are loaded
iptables -L -n
# Simulate a reboot
systemctl stop iptables-persistent
systemctl start iptables-persistent
iptables -L -n | grep 3000If you prefer using the official packages:
yum install iptables-services
systemctl stop firewalld
systemctl mask firewalld
systemctl enable iptables
systemctl start iptablesThen use iptables-save > /etc/sysconfig/iptables after making changes.
- Always test rules before making them persistent
- Maintain a backup of
/etc/sysconfig/iptables - Consider using
iptables-applyfor safer rule testing - Document all custom rules with comments in the iptables file