Red Hat Bugzilla – Bug 129344
Connection tracking information lost when reloading firewall rules
Last modified: 2007-11-30 17:10:47 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Description of problem:
If /etc/sysconfig/iptables file is edited, and than reloaded using
iptables restart, connection tracking information is lost. This is
because ip_conntrack module is unloaded during restart.
If connection tracking match is used to build stateless firewall this
might cause packets from previously established connection to be
dropped. For example, take this two simplified rules for HTTP server:
-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
When iptables restart is run, packets from connections established
before iptables were restarted will start to get dropped until there
is another packet from client to server (that would match NEW state).
This will affect more seriously connections where traffic is mostly
unidirectional, and direction of traffic matches second line that has
only "ESTABLISHED" match.
Possible solution for this would be to implement "reload" command in
iptables script, that would ignore value of IPTABLES_MODULES_UNLOAD
from /etc/sysconfig/iptables-config (or alternatively, there could be
new variable IPTABLES_MODULES_UNLOAD_ON_RELOAD or such). Something
along the lines:
IPTABLES_MODULES_UNLOAD = "no"
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Make sure IPTABLES_MODULES_UNLOAD is set to "yes" (default)
2. Restart firewall
3. Watch packets from previously established connections dropped
I've just noticed a typo I made. "Stateless fierwall" should read
"statefull firewall". Stateless firewalls do not use connection
tracking and are not impacted by this.
Just set IPTABLES_MODULES_UNLOAD="no" in /etc/sysconfig/iptables-config.
Closing as "NOT A BUG".