IPTables doesn't restart

Pete Nesbitt pete at linux1.ca
Wed Dec 8 05:10:46 UTC 2004 

On December 7, 2004 01:45 pm, Nathaniel Hall wrote:
> I am running an RHAS3 firewall with IPTables.  When I restart IPTables,
> I get kicked out of my SSH session and everybody around campus gets
> kicked out of telnet.  Once I have been kicked out, I cannot re-login
> via SSH.
>
> When I get to the local console of the firewall, I am able to login with
> no prob and restart IPTables with all succeeds and everything goes back
> to normal.  I took a look at /var/log/messages and here is what I get:
>
>     /Start of IPTables restart/
>     Dec  7 14:58:44 cs-fw iptables:  succeeded
>     Dec  7 14:58:44 cs-fw last message repeated 2 times
>     Dec  7 14:58:44 cs-fw sshd(pam_unix)[21325]: session closed for user
> root
>     Dec  7 15:03:29 cs-fw login(pam_unix)[16534]: session opened for
> user root by LOGIN(uid=0)
>     Dec  7 15:03:29 cs-fw  -- root[16534]: ROOT LOGIN ON tty1
>     Dec  7 15:03:32 cs-fw kernel: ip_tables: (C) 2000-2002 Netfilter
> core team
>     Dec  7 15:03:32 cs-fw kernel: ip_conntrack version 2.1 (8191
> buckets, 65528 max) - 304 bytes per conntrack
>     Dec  7 15:03:32 cs-fw iptables:  succeeded
>     Dec  7 15:03:32 cs-fw iptables:  succeeded
>     /End of second IPTables restart/
>
> Any ideas?
>
> --
>
> Nathaniel Hall, GSEC
> Intrusion Detection and Firewall Technician
> Ozarks Technical Community College -- Office of Computer Networking
>
> halln at otc.edu
> 417-447-7535

I do remotely restart iptables anytime I make changes and have only lost 
connectivity in two cases:
1) when I made a typo that blocked ssh, but the current session still 
continued, just new connections were refused.
2) when I needed an update of the initscripts rpm (can't remeber the RH ver, 
el2.1 maybe).  iptables would stat and immediately exit. A temporary fix, 
till I got the updated package, was to add a second restart of iptables in 
rc.local, that way if the machine was rebooted, iptables would survive and I 
could remotely access the system. 

I just restarted iptables on my fw via ssh and the only log entry was:
Dec  7 20:48:52 d207-216-10-152 iptables:  succeeded

Make sure iptables & initscripts are both up2date.
Log into the console and run  iptables -L to see if it is allowing anything 
(before restarting iptables).
What are you using for scripts (and/or frontend)?
How long does a iptables restart take? it should not be long enough to cause a 
timeout in a ssh seesion. (have you modified sshd_config?)

-- 
Pete Nesbitt, rhce

More information about the redhat-list mailing list