Hi, iptables-restore program is broken as is the init script /etc/init.d/iptables. I have fixed both and submitted both to the netfilter development list but I thought you might want to fix them in the next release as well.... You can find the patch for the iptables-restore.c (from netfilter 1.2 CVS, not one used in the rpm, but might well be the same) at: http://lists.samba.org/pipermail/netfilter-devel/2001-February/000426.html And here is the fixed iptables script: -------cut-here--------- #!/bin/sh # # Startup script to implement /etc/sysconfig/iptables pre-defined rules. # # chkconfig: 2345 08 92 # # description: Automates a packet filtering firewall with iptables. # # by bero, based on the ipchains script: # Script Author: Joshua Jensen <joshua> # -- hacked up by gafton with help from notting # # Modified by Anton Altaparmakov <aia21.uk>: # Make it work, getting rid of calls to ipchains and fixing all bugs. Tested # and all options work fine. You also need a fixed iptables-restore executable # as the one in iptables 1.2 doesn't work. I submitted a patch to the list: # netfilter-devel.org which fixes it. You can find it here: # http://lists.samba.org/pipermail/netfilter-devel/2001- February/000426.html # # config: /etc/sysconfig/iptables # Source 'em up . /etc/init.d/functions IPTABLES_CONFIG=/etc/sysconfig/iptables if [ ! -x /sbin/iptables ]; then exit 0 fi KERNELMAJ=`uname -r | sed -e 's,\..*,,'` KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'` if [ "$KERNELMAJ" -lt 2 ] ; then exit 0 fi if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then exit 0 fi start() { # don't do squat if we don't have the config file if [ -f $IPTABLES_CONFIG ]; then echo -n "Applying iptables firewall rules: " cat $IPTABLES_CONFIG | /sbin/iptables-restore && \ success "Applying iptables firewall rules" || \ failure "Applying iptables firewall rules" echo touch /var/lock/subsys/iptables fi } stop() { action "Flushing all chains:" iptables -F && iptables -t nat -F && iptables -t mangle -F action "Removing user defined chains:" iptables -X echo -n "Resetting built-in chains to the default ACCEPT policy:" iptables -P INPUT ACCEPT && \ iptables -P FORWARD ACCEPT && \ iptables -P OUTPUT ACCEPT && \ iptables -t nat -P PREROUTING ACCEPT && \ iptables -t nat -P POSTROUTING ACCEPT && \ iptables -t nat -P OUTPUT ACCEPT && \ iptables -t mangle -P PREROUTING ACCEPT && \ iptables -t mangle -P OUTPUT ACCEPT && \ success "Resetting built-in chains to the default ACCEPT policy" || \ failure "Resetting built-in chains to the default ACCEPT policy" echo rm -f /var/lock/subsys/iptables } case "$1" in start) start ;; stop) stop ;; restart) # "restart" is really just "start" as this isn't a daemon, # and "start" clears any pre-defined rules anyway. # This is really only here to make those who expect it happy start ;; condrestart) [ -e /var/lock/subsys/iptables ] && start ;; status) echo "Table: filter" iptables --list echo echo "Table: nat" iptables -t nat --list echo echo "Table: mangle" iptables -t mangle --list ;; panic) echo -n "Changing target policies to DROP: " iptables -P INPUT DROP && \ iptables -P FORWARD DROP && \ iptables -P OUTPUT DROP && \ iptables -t nat -P PREROUTING DROP && \ iptables -t nat -P POSTROUTING DROP && \ iptables -t nat -P OUTPUT DROP && \ iptables -t mangle -P PREROUTING DROP && \ iptables -t mangle -P OUTPUT DROP && \ success "Changing target policies to DROP" || \ failure "Changing target policies to DROP" echo action "Flushing all chains:" iptables -F && iptables -t nat -F && iptables -t mangle -F action "Removing user defined chains:" iptables -X ;; save) echo -n "Saving current rules to $IPTABLES_CONFIG: " /sbin/iptables-save > $IPTABLES_CONFIG 2>/dev/null && \ success "Saving current rules to $IPTABLES_CONFIG" || \ failure "Saving current rules to $IPTABLES_CONFIG" echo ;; *) echo "Usage: $0 {start|stop|restart|condrestart|status|panic|save}" exit 1 esac exit 0
Created attachment 8941 [details] Alternative iptables init script which uses success & failure commands
Looking at the new attached script: on "start" you are restoring counters (iptables-restore -c ...) but on the other hand on "save" you are not saving them (no -c). Also on "stop" there is no saving done at all. Wouldn't that mean that your counters will starts on the same values every single time when you restart the service to some random value when you have last done a iptables- save -c...?
I don't know whether we want to save/restore counters at all. So it probably would be best to just leave the "-c" option out.
We (Red Hat) should really try hard to fix this before next release.
A mixture of both initscripts is now in iptables-1.2.0-7 The iptables-restore from CVS was already included.