Red Hat Bugzilla – Bug 103943
Problem with the Nat table in iptables 1.2.8
Last modified: 2007-04-18 12:57:25 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90;
KPELECT6) <-- this is the workstation not the server! ;)
Description of problem:
Every now and again, iptables fails to load up, with my script reporting 'Nat
table not found, maybe you need to insmod'. Under /proc/net/ip_table_names it
only holds mangle and filter, whereas it should hold nat,mangle and filter. I
have tried insmod, rmmod and modprobe (not in that order, but I have removed
and installed many modules) and the nat module keeps coming back with a page of
errors. Sorry, I can not reproduce this error/bug. But to restore my system, I
need to reboot. Does anyone know of a workaround/patch? I can keep rebooting
all the time, it just ain't feasible.
Version-Release number of selected component (if applicable):
Which iptables and kernel version are you using?
Can you send me your /etc/sysconfig/iptables?
IPTables version 1.2.8
I can't send /etc/sysconfig/iptables cos I ain't using that, I have my own
custom script that kicks in after /etc/init.d/iptables. And noooo it ain't my
script, that I am confident in, cos it doesn't the nat table loaded (which is
need before my script). My script is just calling for the 'Nat' table
I need more information:
- which iptables (full version string)
- which kernel (full version string)
- a test case
Created attachment 94559 [details]
IPTables config file from RedHat 7.3
This is a config file that was known to be working until upgrading to IPTables
1.2.8 and kernel 2.4.20
I've had the exact same problems on my system. Rebooting works, but restarting
the iptables service does not. Previously, the iptables init.d script did not
unload and load the iptables modules. A quick solution would be to modify the
script to leave the modules alone. I've attached a working iptables config file
that no longer works with the iptables 1.2.8 + kernel 2.4.20 combination.
Linux kernel 2.4.20-20.7
That is all the information I have ... I cannot repeat the problem so I don't
have a test case ... I just know since the updating it has failed a few
times ... I tried re-loading the modules but that seems to produce error
messages as if the modules don't work, maybe?
I have the same problems on my system and can reproduce it.
Additional modules loaded:
ip_conntrack_ftp ip_nat_ftp (in that order)
After a fresh restart of the system there is no problem doing a "service
iptables restart". The problem starts when a client on the network starts an
ftp session towards the internet. Both passive and active sessions trigger the
"service iptables restart" will get stuck. ps -aux indicates that the system
is very busy with:
modprobe -r ip_conntrack_ftp
It indicates that about 98% CPU is used.
I certainly hope that this problem can be solved. It is unclear to me if other
vulnaribilities are present when someone has used ftp. Anyway iptables and/or
the kernel seem to have a problem.
Without the modules ip_conntrack_ftp ip_nat_ftp loaded there is no problem.
*** This bug has been marked as a duplicate of 103177 ***
Changed to 'CLOSED' state since 'RESOLVED' has been deprecated.