When working with Red Hat Enterprise Linux 7, many admins encounter a frustrating scenario where their carefully configured iptables rules disappear after system reboots. Unlike RHEL 6 with its straightforward /sbin/service iptables save command, RHEL 7's transition to systemd requires different approaches.
The error message you're seeing:
The service command supports only basic LSB actions...
For other actions, please try to use systemctl.indicates that RHEL 7 has moved away from the traditional SysV init system to systemd. This architectural change affects how we manage services and configurations.
Here are three reliable methods to save your iptables rules permanently:
Method 1: Using iptables-service Package
First, ensure the necessary package is installed:
yum install iptables-servicesThen enable and save your rules:
systemctl enable iptables
iptables-save > /etc/sysconfig/iptables
systemctl start iptablesMethod 2: Manual Save and Restore
For more control, use these commands:
# Save current rules
iptables-save > /etc/sysconfig/iptables
# To restore after reboot:
iptables-restore < /etc/sysconfig/iptablesMethod 3: Creating a systemd Service
Create a custom service to load rules at boot:
# Create service file
cat < /etc/systemd/system/iptables-restore.service
[Unit]
Description=Restore iptables rules
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/sysconfig/iptables
[Install]
WantedBy=multi-user.target
EOF
# Enable and start the service
systemctl enable iptables-restore
systemctl start iptables-restore After implementing any method, verify with:
iptables -L -n -v
systemctl status iptablesIf you see firewalld inactive (as in your status output), you're clear to use iptables directly. However, if firewalld was active, you'd need to either:
- Stop and disable firewalld completely
- Configure firewalld to work with your iptables rules
The choice depends on whether you want to fully migrate to iptables or maintain some firewalld functionality.
For enterprise environments:
- Document all rules with comments using
iptables -A INPUT -m comment --comment "Allow SSH" - Maintain rule backups:
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak_$(date +%F) - Test rule loading with
iptables-restore -t < /etc/sysconfig/iptablesbefore rebooting
If rules still don't persist:
# Check if the iptables service is enabled
systemctl is-enabled iptables
# Verify file permissions
ls -l /etc/sysconfig/iptables
# Check for syntax errors
iptables-restore -n < /etc/sysconfig/iptablesUnlike RHEL 6 which used the traditional service iptables save approach, RHEL 7 introduced systemd and changed how services are managed. The key difference:
# RHEL 6 way (obsolete in RHEL 7):
service iptables save
# RHEL 7 requires different handling
The correct approach involves using iptables-services package:
# Install the service package if missing
yum install iptables-services -y
# Enable the service (critical step)
systemctl enable iptables
# Save current rules
service iptables save
# OR alternatively:
/usr/libexec/iptables/iptables.init save
Check where rules are stored and verify persistence:
# Rule storage location
ls -l /etc/sysconfig/iptables
# Test by rebooting, then checking rules
iptables -L -n -v
For complex environments, consider these alternatives:
# Manual save to custom file
iptables-save > /etc/iptables.rules
# Restore with:
iptables-restore < /etc/iptables.rules
# Make it persistent via rc.local:
echo "iptables-restore < /etc/iptables.rules" >> /etc/rc.local
chmod +x /etc/rc.local
If rules still don't persist:
- Ensure no other firewall service (like firewalld) is running
- Verify iptables service is enabled:
systemctl is-enabled iptables - Check for syntax errors in rules file
When moving from RHEL 6 to RHEL 7:
# Preserve existing rules during upgrade
iptables-save > /root/iptables-backup.pre-upgrade
# Restore after upgrade
iptables-restore < /root/iptables-backup.pre-upgrade
service iptables save