iptables restart hangs
Aleksandar Milivojevic
amilivojevic at pbl.ca
Tue Feb 22 21:47:35 UTC 2005
Chris Miller wrote:
> [root at sea-fw1 ~]# /etc/init.d/iptables condrestart
> Flushing firewall rules: [ OK ]
> Setting chains to policy ACCEPT: filter nat [ OK ]
> Unloading iptables modules:
>
> Hangs there and never moves on.
Are you really sure you want to do everything that iptables script does
when restarting?
While it might seem cleaner to completely reset firewall each time you
change its configuration, it has some dirty consequences.
By unloading nat (and related) contrack modules, you will loose all
connection tracking information. While in some cases this might be just
what you wanted to do, usually you don't want to affect existing
connections. Imagine the frustration of somebody who was downloading
3GB DVD image from your FTP server. And than you restarted your
firewall when his transfer was almost complete. His connection becomes
history. Now imagine you had 20 such users doing transfers at the time
firewall was restarted.
Also, have in mind that by doing /etc/init.d/iptables restart, there
will be that small window when you do not have any firewall, and a very
short period when you have firewall with no rules at all. If there's an
error in new /etc/sysconfig/iptables file, you'll be left with firewall
with no rules loaded.
If you are using /etc/sysconfig/iptables file to store your firewall
config, just do:
# iptables-restore /etc/sysconfig/iptables
This will load rules into the kernel, while preserving all state
information that existed previously (because contrack module is not
unloaded).
By doing iptables-restore, the new rules will simply replace the old
rules in your running firewall in a single atomic operation. If loading
of new rules fails, the old rules stay in effect. Your firewall is all
the time up, running and fully operational.
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the fedora-list
mailing list