See bug 1101522 "iptables rule ESTABLISHED occasionally not matching" Short story: REJECT rule can break networking by generating spurious connection aborts when an unexpected packet is seen. To prevent that, use DROP rule to filter our bad packets before REJECT, or use REJECT only for NEW packets, and DROP the rest. I believe relevant part of the source code is in system-config-securitylevel-1.7.0/lokkit.c here: for (i=0; ports && ports[i].start_port; i++) { ...creates "state NEW -j ACCEPT" rules... } fprintf(fw, "-A %s -j REJECT --reject-with icmp-host-prohibited\n", CHAIN_NAME); fprintf(fw, "-A FORWARD -j REJECT --reject-with icmp-host-prohibited\n"); It's trivial to add "-m state --state INVALID -j DROP" before each of these two REJECT rules. There is an analogous bit of code for IPv6 later in the same file.
What are you guys saying? Do you think it's a bug? Do you plan to fix it? I need this information to decide what to do with bug 1101522.
Yes, it can be considered a bug in system-config-securitylevel/lokkit. There is also a proposal for a change with REJECT at netfilter upstream: "netfilter: reject: don't send icmp error if packet has invalid checksum"
Here is the link to the latest version of the netfilter patch: http://patchwork.ozlabs.org/patch/440307/
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only. If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided. For more details please consult the Red Hat Enterprise Linux Life Cycle Page: https://access.redhat.com/support/policy/updates/errata This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.