I have an FC6 install that is running Qmailtoaster. The QMT install made sure all firewalls were off and installed IPtables and put in a default config. Linux firewall and SElinux are both off.

To do some remote admin, I installed Webmin which uses ports 10000 and 20000. So far so good. Everything works fine. Until...

I installed Splunk to have a human readable set of logs. This uses port 8000. I used Webmin to add the port. I activate the new config and everything is happy. Until... About 15 minutes or so, the iptables config reverts back to some older config! I checked the /etc/sysconfig/iptables and the correct config with 8000 is there but if I do iptables -L -n and port 8000 is NOT in the list. If I do an iptables restart then look at iptables -L -n the port is back! Just for grins, I manually added a few random ports into the config file and the same thing happens, they are active for a little while but then the running config reverts to an older version.

Where is it getting the older config from and what mechanism is flushing this? Is there some security piece that resets iptables?

I've been playing with this for weeks now and am no closer to an answer.

Thanks
Phil