iptables restart hangs

Aleksandar Milivojevic amilivojevic at pbl.ca
Tue Feb 22 21:47:35 UTC 2005 

Chris Miller wrote:
> [root at sea-fw1 ~]# /etc/init.d/iptables condrestart
> Flushing firewall rules:                                   [  OK  ]
> Setting chains to policy ACCEPT: filter nat                [  OK  ]
> Unloading iptables modules: 
> 
> Hangs there and never moves on.

Are you really sure you want to do everything that iptables script does 
when restarting?

While it might seem cleaner to completely reset firewall each time you 
change its configuration, it has some dirty consequences.

By unloading nat (and related) contrack modules, you will loose all 
connection tracking information.  While in some cases this might be just 
what you wanted to do, usually you don't want to affect existing 
connections.  Imagine the frustration of somebody who was downloading 
3GB DVD image from your FTP server.  And than you restarted your 
firewall when his transfer was almost complete.  His connection becomes 
history.  Now imagine you had 20 such users doing transfers at the time 
firewall was restarted.

Also, have in mind that by doing /etc/init.d/iptables restart, there 
will be that small window when you do not have any firewall, and a very 
short period when you have firewall with no rules at all.  If there's an 
error in new /etc/sysconfig/iptables file, you'll be left with firewall 
with no rules loaded.

If you are using /etc/sysconfig/iptables file to store your firewall 
config, just do:

# iptables-restore /etc/sysconfig/iptables

This will load rules into the kernel, while preserving all state 
information that existed previously (because contrack module is not 
unloaded).

By doing iptables-restore, the new rules will simply replace the old 
rules in your running firewall in a single atomic operation.  If loading 
of new rules fails, the old rules stay in effect.  Your firewall is all 
the time up, running and fully operational.

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the fedora-list mailing list