iptables restart hangs

Nathaniel Hall halln at otc.edu
Wed Feb 23 15:34:24 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aleksandar Milivojevic wrote:
| Bernd Radinger wrote:
|
|> in /etc/sysconfig/iptables-config change the configuration to:
|>
|> IPTABLES_MODULES_UNLOAD="no"
|>
|> I was told that fixes the problem
|
|
| It probably will, since he was hanging on module unload.  It will also
| preserve connection tracking information.  However, even with that
| option set, "iptables restart" will still flush all rules, set default
| policy to accept, and than start firewall from scratch (so you will be
| wide open for that small time window, enough for a packet or two to pass
| by, which is sometimes all it takes to brake into the machine).  It is
| usually better to simply load new rules.  And you can't use "iptables
| start" either, because it is doing the same thing (basically, "start"
| and "restart" are effectivly the same, with "restart" having an option
| to save fw rules before stopping the firewall).
|
| I've raised some concerns some time ago on bugzilla about iptables
| script and proposed (if I remember correctly) that either "start"
| shouldn't be unloading firewall rules, or that new option for "restart"
| be implemented (that would only load new rules).  I was told that
| there's no value in doing that since time window is too small (not
| really, if firewall is under attack from inside and (inside) attacker
| can guess aprox. time when firewall is to be restarted), and to modify
| my local iptables scripts if I don't like the way it is currently done.
|

While the time to restart iptables is not very high, I do agree that
something should be added to the restart script.  Would there really be
a huge problem with adding reload to the script?  I know I usually have
a problem restarting a firewall through SSH when I am translating ports.
~ I ssh to a different port than 22, but prerouting rules translate it to
22.  When I restart while using ssh, I get kicked out if it is a large
ruleset.  If it is a small ruleset, I am fine.  My only other option is
to be at the local console to restart iptables.  If reload was an option
so that connections were not broken, that would help a lot.

- --

Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking

halln at otc.edu
417-447-7535
GPG Public Key ID: 0xAC187312
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)

iD8DBQFCHKKAc+QrUawYcxIRAiqKAJ9VpAH8KagMAEOp10DZQt1DXVfafQCbBNck
oQLf+w3w9kgzpgVe+HVXNqI=
=hHGR
-----END PGP SIGNATURE-----

More information about the fedora-list mailing list