iptables restart hangs

Ian P. Thomas ipt at scraemon.org
Wed Feb 23 16:17:49 UTC 2005


On Wed, 2005-02-23 at 08:35 -0600, Aleksandar Milivojevic wrote:
> Bernd Radinger wrote:
> > in /etc/sysconfig/iptables-config change the configuration to:
> > 
> > IPTABLES_MODULES_UNLOAD="no"
> > 
> > I was told that fixes the problem
> 
> It probably will, since he was hanging on module unload.  It will also 
> preserve connection tracking information.  However, even with that 
> option set, "iptables restart" will still flush all rules, set default 
> policy to accept, and than start firewall from scratch (so you will be 
> wide open for that small time window, enough for a packet or two to pass 
> by, which is sometimes all it takes to brake into the machine).  It is 
> usually better to simply load new rules.  And you can't use "iptables 
> start" either, because it is doing the same thing (basically, "start" 
> and "restart" are effectivly the same, with "restart" having an option 
> to save fw rules before stopping the firewall).
> 
> I've raised some concerns some time ago on bugzilla about iptables 
> script and proposed (if I remember correctly) that either "start" 
> shouldn't be unloading firewall rules, or that new option for "restart" 
> be implemented (that would only load new rules).  I was told that 
> there's no value in doing that since time window is too small (not 
> really, if firewall is under attack from inside and (inside) attacker 
> can guess aprox. time when firewall is to be restarted), and to modify 
> my local iptables scripts if I don't like the way it is currently done.

I have to agree with you here.  I think there are a few problems with
the current script the way it is.  The first, being setting the policy
to ACCEPT when 'restart' is called through the call to 'stop'.  I'm
going to change the procedures executed when the 'restart' case is
executed from 'save', 'stop', 'start', to 'save', 'restart'.  Of course
I'll have to write 'restart', but that doesn't seem to hard.  

Ideally, a restart should preserve existing connections, while denying
all other packets during the brief amount of time in which the rule set
is being reloaded.  I'll post my addition to the list when I finish it.


Ian




More information about the fedora-list mailing list