Bug 103943 - Problem with the Nat table in iptables 1.2.8
Summary: Problem with the Nat table in iptables 1.2.8
Status: CLOSED DUPLICATE of bug 103177
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables   
(Show other bugs)
Version: 7.3
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2003-09-08 04:52 UTC by oracle
Modified: 2007-04-18 16:57 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-21 18:58:30 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
IPTables config file from RedHat 7.3 (29.88 KB, text/plain)
2003-09-17 15:52 UTC, Clayton Hicklin
no flags Details

Description oracle 2003-09-08 04:52:59 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; 
KPELECT6) <-- this is the workstation not the server! ;)

Description of problem:
Every now and again, iptables fails to load up, with my script reporting 'Nat 
table not found, maybe you need to insmod'. Under /proc/net/ip_table_names it 
only holds mangle and filter, whereas it should hold nat,mangle and filter. I 
have tried insmod, rmmod and modprobe (not in that order, but I have removed 
and installed many modules) and the nat module keeps coming back with a page of 
errors. Sorry, I can not reproduce this error/bug. But to restore my system, I 
need to reboot. Does anyone know of a workaround/patch? I can keep rebooting 
all the time, it just ain't feasible.

Version-Release number of selected component (if applicable):

How reproducible:
Couldn't Reproduce

Additional info:

Comment 1 Thomas Woerner 2003-09-11 13:00:32 UTC
Which iptables and kernel version are you using?

Can you send me your /etc/sysconfig/iptables?

Comment 2 oracle 2003-09-12 00:22:09 UTC
IPTables version 1.2.8
Kernel 2.4.20-20

I can't send /etc/sysconfig/iptables cos I ain't using that, I have my own 
custom script that kicks in after /etc/init.d/iptables. And noooo it ain't my 
script, that I am confident in, cos it doesn't the nat table loaded (which is 
need before my script). My script is just calling for the 'Nat' table

Comment 3 Thomas Woerner 2003-09-17 09:23:43 UTC
I need more information:

- which iptables (full version string)
- which kernel (full version string)
- a test case

Comment 4 Clayton Hicklin 2003-09-17 15:52:30 UTC
Created attachment 94559 [details]
IPTables config file from RedHat 7.3

This is a config file that was known to be working until upgrading to IPTables
1.2.8 and kernel 2.4.20

Comment 5 Clayton Hicklin 2003-09-17 15:54:47 UTC
I've had the exact same problems on my system.  Rebooting works, but restarting
the iptables service does not.  Previously, the iptables init.d script did not
unload and load the iptables modules.  A quick solution would be to modify the
script to leave the modules alone.  I've attached a working iptables config file
that no longer works with the iptables 1.2.8 + kernel 2.4.20 combination.

Comment 6 oracle 2003-09-17 22:44:32 UTC
Linux kernel 2.4.20-20.7

IPTables 1.2.8

That is all the information I have ... I cannot repeat the problem so I don't 
have a test case ... I just know since the updating it has failed a few 
times ... I tried re-loading the modules but that seems to produce error 
messages as if the modules don't work, maybe?

Comment 7 Anton Rops 2003-09-18 08:52:51 UTC
I have the same problems on my system and can reproduce it.

RedHat 7.1

Additional modules loaded:
ip_conntrack_ftp ip_nat_ftp (in that order)

After a fresh restart of the system there is no problem doing a "service 
iptables restart". The problem starts when a client on the network starts an 
ftp session towards the internet. Both passive and active sessions trigger the 

"service iptables restart" will get stuck. ps -aux indicates that the system 
is very busy with:
modprobe -r ip_conntrack_ftp

It indicates that about 98% CPU is used.

I certainly hope that this problem can be solved. It is unclear to me if other 
vulnaribilities are present when someone has used ftp. Anyway iptables and/or 
the kernel seem to have a problem.

Comment 8 Anton Rops 2003-09-18 09:21:13 UTC
Additional detail:
Without the modules ip_conntrack_ftp ip_nat_ftp loaded there is no problem.

Comment 9 Thomas Woerner 2003-09-18 09:31:49 UTC

*** This bug has been marked as a duplicate of 103177 ***

Comment 10 Red Hat Bugzilla 2006-02-21 18:58:30 UTC
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.

Note You need to log in before you can comment on or make changes to this bug.