iptables restart hangs

Chris Miller fedora at gammanetworking.com
Tue Feb 22 23:26:38 UTC 2005 

On Tue, 2005-02-22 at 16:47, Aleksandar Milivojevic wrote:
> Chris Miller wrote:
> > [root at sea-fw1 ~]# /etc/init.d/iptables condrestart
> > Flushing firewall rules:                                   [  OK  ]
> > Setting chains to policy ACCEPT: filter nat                [  OK  ]
> > Unloading iptables modules: 
> > 
> > Hangs there and never moves on.
> 
> Are you really sure you want to do everything that iptables script does 
> when restarting?
> 
> While it might seem cleaner to completely reset firewall each time you 
> change its configuration, it has some dirty consequences.
> 
> By unloading nat (and related) contrack modules, you will loose all 
> connection tracking information.  While in some cases this might be just 
> what you wanted to do, usually you don't want to affect existing 
> connections.  Imagine the frustration of somebody who was downloading 
> 3GB DVD image from your FTP server.  And than you restarted your 
> firewall when his transfer was almost complete.  His connection becomes 
> history.  Now imagine you had 20 such users doing transfers at the time 
> firewall was restarted.
> 
> Also, have in mind that by doing /etc/init.d/iptables restart, there 
> will be that small window when you do not have any firewall, and a very 
> short period when you have firewall with no rules at all.  If there's an 
> error in new /etc/sysconfig/iptables file, you'll be left with firewall 
> with no rules loaded.
> 
> If you are using /etc/sysconfig/iptables file to store your firewall 
> config, just do:
> 
> # iptables-restore /etc/sysconfig/iptables
> 
> This will load rules into the kernel, while preserving all state 
> information that existed previously (because contrack module is not 
> unloaded).
> 
> By doing iptables-restore, the new rules will simply replace the old 
> rules in your running firewall in a single atomic operation.  If loading 
> of new rules fails, the old rules stay in effect.  Your firewall is all 
> the time up, running and fully operational.
> 
> -- 
> Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
> Systems Administrator                           1499 Buffalo Place
> Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7



That helps more then you will ever know.  Thank you.

More information about the fedora-list mailing list