We're running the CA API Gateway version 8.0 (formally Layer 7 Gateway). After a new machine was provisioned I noted the /etc/sysconfig/iptables file looked messed up. In all our other gateways That file has a header like:
# Layer 7 supplied iptables config for the SecureSpan Gateway Appliance
# Modification of this file is not recommended
# as our system manipulates these rules live
# This is a drop all system
# If the port and/or interface doesn't explicity allow the packet
# the packet is dropped.
# Network Design:
# In a single network installation, all communication is via eth0
# In a double network ETH1 is PUBLIC side and ETH0 is PRIVATE side
# In a triple network ETH1 is PUBLIC side, ETH0 is MANAGEMENT network, ETH2 is PRIVATE side
# DNS, NTP must be on one of MANAGMENT or PRIVATE networks
# Almost all dropped packets are logged as Badflags: in syslog, but this
# is also rate limited to prevent filling the hard disk
Followed by a list of rules nicely sectioned out. In the new gateway the file looks like:
# Generated by iptables-save v1.4.7 on Wed Mar 23 08:37:22 2016
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:badflags - [0:0]
:portdrop - [0:0]
Followed by a list of rules with no sectioning.
I'm wondering, when does this file get rewritten by the gateway? Or is my hunch correct that this gateway wasn't provisioned correctly or that the iptables somehow got corrupted?
I'm unsure if your iptables file is corrupted or not, the section you posted looks ok but the gateway does not write to this file, instead, as it starts up it will add the rules defined from within the policy manager and when it shuts down it removes the rules. You would not expect to see them added to this file.
Does this information help you?