Red Hat Bugzilla – Bug 103033
upgrade iptables 1.2.6a -> 1.2.8 stops firewall from working after reboot : all tables open !
Last modified: 2007-03-27 00:09:15 EDT
Description of problem: upgrade of iptables to 1.2.8 on RedHat 8/2.4.20-20.8 stops firewall ! Version-Release number of selected component (if applicable): 1.2.8 How reproducible: patch an RedHat 8/2.4.20-20.8 machine using up2date : after restarting iptables's services the firewall's status stays on "stopped" Steps to Reproduce: 1. on a Redhat 8/2.4.20-20.8 up2date install iptables 1.2.8 via up2date 2. reboot machine 3. service iptables status Actual results: until the file /etc/sysconfig/iptables-config is modified and all options set to "yes", the iptables's service will not start. Expected results: by modifying the /etc/sysconfig/iptables-config file and setting all options set to "yes" the iptables's service will start. Additional info: new content of /etc/sysconfig/iptables-config: # Additional iptables modules (nat helper) # Default: -empty- IPTABLES_MODULES="ip_nat_ftp" # Save current firewall rules on stop. # Value: yes|no, default: no IPTABLES_SAVE_ON_STOP="yes" # Save current firewall rules on restart. # Value: yes|no, default: no IPTABLES_SAVE_ON_RESTART="yes" # Save (and restore) rule counter. # Value: yes|no, default: no IPTABLES_SAVE_COUNTER="yes" # Numeric status output # Value: yes|no, default: no IPTABLES_STATUS_NUMERIC="yes"
I am sorry, but iptables-1.2.8-8.80.2 is working for me without any problems with the kernel 2.4.20-20.8. Can you send me the output of the following command, please: sh -x /etc/init.d/iptables start
Hi, Thanks for looking at the bug. I cannot do sh -x /etc/init.d/iptables start anymore because I patched all my machines since. Sorry. I did debug the init script though. If we look at the iptables' init script, start case, it is based on the existence of a saved iptables's ruleset, which on our firewall this does not exist (the rules are not restored, they are created at init time by a specialized script). Now, let's see around line 140-150 : if no file -> no message, no start: [ -f $IPTABLES_DATA ] || return 1 If no tables and rules have been previously saved before doing the upgrade of iptables, the init stops there (return 1) and then there are no /etc/sysconfig/iptables rules -> iptables won't start. moreover: $IPTABLES-restore $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; return 1 fi
iptables wil not load changes to the iptables data file automatically.
The last answer left me with some questionning... How come was it working under iptables for more than a year on multiple machines, some of which are rebooted almost every day, and when I upgraded iptables from 1.2.6a to 1.2.8, iptables would suddenly not start anymore ! For example, take an empty rule firewall where the /etc/sysconfig/iptables file does no exists and iptables won't start !
The only thing that was done before with a missing filewall rule file, was to load the netfilter modules. The modules create the default tables with the policy 'ACCEPT' and no rules while loading. If there are no rules, chains or other policies defined, it makes no difference if the modules are loaded or not: No filtering, nat or connection tracking. Therefore the service iptables does not start anymore, if there is no firewall rule file.