iptables restart hangs
Robert Locke
lists at ralii.com
Wed Feb 23 21:48:51 UTC 2005
On Wed, 2005-02-23 at 11:17 -0500, Ian P. Thomas wrote:
> On Wed, 2005-02-23 at 08:35 -0600, Aleksandar Milivojevic wrote:
> > Bernd Radinger wrote:
> > > in /etc/sysconfig/iptables-config change the configuration to:
> > >
> > > IPTABLES_MODULES_UNLOAD="no"
> > >
> > > I was told that fixes the problem
> >
> > It probably will, since he was hanging on module unload. It will also
> > preserve connection tracking information. However, even with that
> > option set, "iptables restart" will still flush all rules, set default
> > policy to accept, and than start firewall from scratch (so you will be
> > wide open for that small time window, enough for a packet or two to pass
> > by, which is sometimes all it takes to brake into the machine). It is
> > usually better to simply load new rules. And you can't use "iptables
> > start" either, because it is doing the same thing (basically, "start"
> > and "restart" are effectivly the same, with "restart" having an option
> > to save fw rules before stopping the firewall).
> >
> > I've raised some concerns some time ago on bugzilla about iptables
> > script and proposed (if I remember correctly) that either "start"
> > shouldn't be unloading firewall rules, or that new option for "restart"
> > be implemented (that would only load new rules). I was told that
> > there's no value in doing that since time window is too small (not
> > really, if firewall is under attack from inside and (inside) attacker
> > can guess aprox. time when firewall is to be restarted), and to modify
> > my local iptables scripts if I don't like the way it is currently done.
>
> I have to agree with you here. I think there are a few problems with
> the current script the way it is. The first, being setting the policy
> to ACCEPT when 'restart' is called through the call to 'stop'. I'm
> going to change the procedures executed when the 'restart' case is
> executed from 'save', 'stop', 'start', to 'save', 'restart'. Of course
> I'll have to write 'restart', but that doesn't seem to hard.
>
> Ideally, a restart should preserve existing connections, while denying
> all other packets during the brief amount of time in which the rule set
> is being reloaded. I'll post my addition to the list when I finish it.
>
>
> Ian
>
Actually, what you are describing is normally reserved for "reload", not
"restart". "restart" is generally for a stop and start - which in the
context of iptables seems to be doing what is expected, though, perhaps,
not what is desired.
So here is a patch file to add a "reload" option to the iptables script
file in /etc/rc.d/init.d/.... Your mileage may vary, but it follows the
earlier recommendation of doing an iptables-restore.... To do what you
were looking for earlier, do an "service iptables reload"
It seemed to work on my machine (FC3), but your mileage may vary....
HTH,
--Rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iptables.addreload.patch
Type: text/x-patch
Size: 864 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050223/da249db9/attachment-0001.bin>
More information about the fedora-list
mailing list