Bug 159388 - iptables does not allow packets on loopback with kernel-2.6.11-1.27_FC3
iptables does not allow packets on loopback with kernel-2.6.11-1.27_FC3
Status: CLOSED DUPLICATE of bug 158710
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: David Miller
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-06-02 07:14 EDT by Adam Deacon
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-06-04 01:47:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
kernel-2.6.11-1.14_FC3 (1.84 KB, text/plain)
2005-06-02 07:17 EDT, Adam Deacon
no flags Details
failed connection using kernel-2.6.11-1.27_FC3 (1.68 KB, text/plain)
2005-06-02 07:18 EDT, Adam Deacon
no flags Details

  None (edit)
Description Adam Deacon 2005-06-02 07:14:54 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
The following iptables script should allow all packets on the loopback, but drop everything else:

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT  -i lo  -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -o lo  -m state --state NEW  -j ACCEPT
iptables -A OUTPUT  -j DROP
iptables -A INPUT  -j DROP

When you run this with kernel-2.6.11-1.14_FC3 everything works as expected, but with kernel-2.6.11-1.27_FC3 all packets are dropped, even those on the loopback. I'm using iptables-1.2.11-3.1.FC3.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. boot 2.6.11-1.27_FC3
2. add rules as above
3. telnet 25 (or anything else on the loopback)
4. boot 2.6.11-1.14_FC3
5. add rules, telnet to loopback
6. Connection accepted  

Actual Results:  Packets dropped

Expected Results:  Packet on loopback should be allow (as in 2.6.11-1.14_FC3)

Additional info:
Comment 1 Adam Deacon 2005-06-02 07:17:13 EDT
Created attachment 115080 [details]

sucessful tcpdump using kernel-2.6.11-1.14_FC3
Comment 2 Adam Deacon 2005-06-02 07:18:12 EDT
Created attachment 115081 [details]
failed connection using kernel-2.6.11-1.27_FC3

Failed connction using kernel-2.6.11-1.27_FC3
Comment 3 Dave Jones 2005-06-03 13:43:22 EDT
The only networking changes between .14 and .27 was a rebase from to Nothing obvious jumps out at me looking at the interdiff, but perhaps
davem has clues..
Comment 4 Dave Jones 2005-06-03 13:46:33 EDT
This could be..

which would make this bug a dupe of 158710
Comment 5 David Miller 2005-06-03 14:12:03 EDT
Yes, I believe it is the same exact checksumming bug.
Comment 6 Dave Jones 2005-06-04 01:47:47 EDT

*** This bug has been marked as a duplicate of 158710 ***
Comment 7 Haddon 2005-06-04 02:10:29 EDT
Similar problem experienced with APF Firewall (which uses IPtables). Whilst I am
still figuring out the mechanics (new to this), kernel-2.6.11-1.27_FC3 drops any
loopback packets with APF running, no problems when its not running. No such
problem with 2.6.11-1.14_FC3. 

Running on i686.
Comment 8 Dave Jones 2005-06-04 02:15:56 EDT
as mentioned in the bug this is a dupe of, theres a test kernel available on my
people page that should fix this. (link is in the other bug)

Note You need to log in before you can comment on or make changes to this bug.