IPTables doesn't restart
Pete Nesbitt
pete at linux1.ca
Wed Dec 8 05:10:46 UTC 2004
On December 7, 2004 01:45 pm, Nathaniel Hall wrote:
> I am running an RHAS3 firewall with IPTables. When I restart IPTables,
> I get kicked out of my SSH session and everybody around campus gets
> kicked out of telnet. Once I have been kicked out, I cannot re-login
> via SSH.
>
> When I get to the local console of the firewall, I am able to login with
> no prob and restart IPTables with all succeeds and everything goes back
> to normal. I took a look at /var/log/messages and here is what I get:
>
> /Start of IPTables restart/
> Dec 7 14:58:44 cs-fw iptables: succeeded
> Dec 7 14:58:44 cs-fw last message repeated 2 times
> Dec 7 14:58:44 cs-fw sshd(pam_unix)[21325]: session closed for user
> root
> Dec 7 15:03:29 cs-fw login(pam_unix)[16534]: session opened for
> user root by LOGIN(uid=0)
> Dec 7 15:03:29 cs-fw -- root[16534]: ROOT LOGIN ON tty1
> Dec 7 15:03:32 cs-fw kernel: ip_tables: (C) 2000-2002 Netfilter
> core team
> Dec 7 15:03:32 cs-fw kernel: ip_conntrack version 2.1 (8191
> buckets, 65528 max) - 304 bytes per conntrack
> Dec 7 15:03:32 cs-fw iptables: succeeded
> Dec 7 15:03:32 cs-fw iptables: succeeded
> /End of second IPTables restart/
>
> Any ideas?
>
> --
>
> Nathaniel Hall, GSEC
> Intrusion Detection and Firewall Technician
> Ozarks Technical Community College -- Office of Computer Networking
>
> halln at otc.edu
> 417-447-7535
I do remotely restart iptables anytime I make changes and have only lost
connectivity in two cases:
1) when I made a typo that blocked ssh, but the current session still
continued, just new connections were refused.
2) when I needed an update of the initscripts rpm (can't remeber the RH ver,
el2.1 maybe). iptables would stat and immediately exit. A temporary fix,
till I got the updated package, was to add a second restart of iptables in
rc.local, that way if the machine was rebooted, iptables would survive and I
could remotely access the system.
I just restarted iptables on my fw via ssh and the only log entry was:
Dec 7 20:48:52 d207-216-10-152 iptables: succeeded
Make sure iptables & initscripts are both up2date.
Log into the console and run iptables -L to see if it is allowing anything
(before restarting iptables).
What are you using for scripts (and/or frontend)?
How long does a iptables restart take? it should not be long enough to cause a
timeout in a ssh seesion. (have you modified sshd_config?)
--
Pete Nesbitt, rhce
More information about the redhat-list
mailing list