iptables restart hangs

Robert Locke lists at ralii.com
Wed Feb 23 21:48:51 UTC 2005 

On Wed, 2005-02-23 at 11:17 -0500, Ian P. Thomas wrote:
> On Wed, 2005-02-23 at 08:35 -0600, Aleksandar Milivojevic wrote:
> > Bernd Radinger wrote:
> > > in /etc/sysconfig/iptables-config change the configuration to:
> > > 
> > > IPTABLES_MODULES_UNLOAD="no"
> > > 
> > > I was told that fixes the problem
> > 
> > It probably will, since he was hanging on module unload.  It will also 
> > preserve connection tracking information.  However, even with that 
> > option set, "iptables restart" will still flush all rules, set default 
> > policy to accept, and than start firewall from scratch (so you will be 
> > wide open for that small time window, enough for a packet or two to pass 
> > by, which is sometimes all it takes to brake into the machine).  It is 
> > usually better to simply load new rules.  And you can't use "iptables 
> > start" either, because it is doing the same thing (basically, "start" 
> > and "restart" are effectivly the same, with "restart" having an option 
> > to save fw rules before stopping the firewall).
> > 
> > I've raised some concerns some time ago on bugzilla about iptables 
> > script and proposed (if I remember correctly) that either "start" 
> > shouldn't be unloading firewall rules, or that new option for "restart" 
> > be implemented (that would only load new rules).  I was told that 
> > there's no value in doing that since time window is too small (not 
> > really, if firewall is under attack from inside and (inside) attacker 
> > can guess aprox. time when firewall is to be restarted), and to modify 
> > my local iptables scripts if I don't like the way it is currently done.
> 
> I have to agree with you here.  I think there are a few problems with
> the current script the way it is.  The first, being setting the policy
> to ACCEPT when 'restart' is called through the call to 'stop'.  I'm
> going to change the procedures executed when the 'restart' case is
> executed from 'save', 'stop', 'start', to 'save', 'restart'.  Of course
> I'll have to write 'restart', but that doesn't seem to hard.  
> 
> Ideally, a restart should preserve existing connections, while denying
> all other packets during the brief amount of time in which the rule set
> is being reloaded.  I'll post my addition to the list when I finish it.
> 
> 
> Ian
> 

Actually, what you are describing is normally reserved for "reload", not
"restart".  "restart" is generally for a stop and start - which in the
context of iptables seems to be doing what is expected, though, perhaps,
not what is desired.

So here is a patch file to add a "reload" option to the iptables script
file in /etc/rc.d/init.d/....  Your mileage may vary, but it follows the
earlier recommendation of doing an iptables-restore....  To do what you
were looking for earlier, do an "service iptables reload"

It seemed to work on my machine (FC3), but your mileage may vary....

HTH,

--Rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: iptables.addreload.patch
Type: text/x-patch
Size: 864 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050223/da249db9/attachment-0001.bin>

More information about the fedora-list mailing list