Bug 50500

Summary: iptables-save saves --reject-with icmp-host-prohibited as --reject-with tcp-reset
Product: [Retired] Red Hat Linux Reporter: Nick Simicich <njs>
Component: iptablesAssignee: Bernhard Rosenkraenzer <bero>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: muth, njs
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-09-28 09:59:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nick Simicich 2001-07-31 18:34:39 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

Description of problem:
The redhat iptables initialization routines depend on iptables-save and 
iptables-restore.  

iptables-save does not save the rules defined correctly.  Specifically, so 
far as I can tell, every instance of 
a rule that contains reject-with icmp-host-prohibited is always changed 
to --reject-with tcp-reset.

This is true even on rules which do not contain -p tcp.

How reproducible:
Always

Steps to Reproduce:
1. Create a ruleset that contains a rule that includes -j REJECT --reject-
with icmp-host-prohibited.  A specific example:
iptables -A INPUT -s 199.74.152.254/32 -j REJECT --reject-with icmp-host-
prohibited
2. iptables -L -v
to verify that the rule was entered correctly.
3. issue iptables-save | less
4. Behold!

Actual Results:  The rule was saved with the clause:
--reject-with tcp-reset

Expected Results:  The rule should have been saved with -j REJECT --reject-
with icmp-host-prohibited

Additional info:

IMHO, this is a security issue.  Before kernel 2.4.3 was released, 
warnings were issued that breakins could occur because iptables 
allowed "RELATED" bugs to be tracked.  Here we have not only this but but 
another bug (which I encountered) where rules savd with iptables-save were 
not restored because of the fact that --log-prefix with a space in the 
string would cause the rule to fail to restore.  This is at least that 
severe - rules will be restored wrong and some rules may not be restored 
at all.  Warnings should once again be issued that iptables should not be 
used.
Comment 1 Bernhard Rosenkraenzer 2001-08-01 13:40:10 UTC 
Fixed in 1.2.2-3
Comment 2 Nick Simicich 2001-08-01 15:52:07 UTC 
It is good that it is fixed in an upcoming release.  Do you not think that it 
would be worthwhile to issue a warning?
Comment 3 Nick Simicich 2001-08-27 20:09:22 UTC 
I'd like to ask that the rawhide modules get promoted to errata and that a 
security errata be released - this is important because the non-rawhide modules 
can silently result in iptables rules not getting reloaded, which could result 
in one's firewall being down after an unwatched reboot.
Comment 4 Klaus Muth 2001-09-28 09:59:52 UTC 
iptables-restore does choke on saved rules with -j LOG --log-prefix "anything",
with any argument to --log-prefix containing quotes. The iptables changelog on
netfilter.samba.org marks this problem fixed since version 1.2.1a (March 2001),
so please, please move an updated package to udates and issue a warning.