AnsweredAssumed Answered

When are iptables rewritten in CA API Gateway?

Question asked by majoras_masque on Jul 7, 2016
Latest reply on Jul 11, 2016 by ChristopherClark

We're running the CA API Gateway version 8.0 (formally Layer 7 Gateway).  After a new machine was provisioned I noted the /etc/sysconfig/iptables file looked messed up.  In all our other gateways That file has a header like:

 

 

# Layer 7 supplied iptables config for the SecureSpan Gateway Appliance

# /etc/sysconfig/iptables

# Modification of this file is not recommended

# as our system manipulates these rules live

#

# Design:

# This is a drop all system

#

# If the port and/or interface doesn't explicity allow the packet

# the packet is dropped.

#

# Network Design:

# In a single network installation, all communication is via eth0

# In a double network ETH1 is PUBLIC side and ETH0 is PRIVATE side

# In a triple network ETH1 is PUBLIC side, ETH0 is MANAGEMENT network, ETH2 is PRIVATE side

# DNS, NTP must be on one of MANAGMENT or PRIVATE networks

#

# Almost all dropped packets are logged as Badflags: in syslog, but this

# is also rate limited to prevent filling the hard disk

 

Followed by a list of rules nicely sectioned out.  In the new gateway the file looks like:

# Generated by iptables-save v1.4.7 on Wed Mar 23 08:37:22 2016

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:badflags - [0:0]

:portdrop - [0:0]

 

Followed by a list of rules with no sectioning.

 

I'm wondering, when does this file get rewritten by the gateway? Or is my hunch correct that this gateway wasn't provisioned correctly or that the iptables somehow got corrupted?

Outcomes