Bug 25962 - iptables-restore fix and /etc/init.d/iptables fix
iptables-restore fix and /etc/init.d/iptables fix
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
David Lawrence
Florence RC-1
Depends On:
  Show dependency treegraph
Reported: 2001-02-04 01:55 EST by aia21
Modified: 2007-04-18 12:31 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-02-05 17:51:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Alternative iptables init script which uses success & failure commands (4.31 KB, text/plain)
2001-02-04 14:14 EST, Nils Philippsen
no flags Details

  None (edit)
Description aia21 2001-02-04 01:55:36 EST

iptables-restore program is broken as is the init 
script /etc/init.d/iptables.

I have fixed both and submitted both to the netfilter development list but 
I thought you might want to fix them in the next release as well....

You can find the patch for the iptables-restore.c (from netfilter 1.2 CVS, 
not one used in the rpm, but might well be the same) at:

And here is the fixed iptables script:
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
# chkconfig: 2345 08 92
# description: Automates a packet filtering firewall with iptables.
# by bero@redhat.com, based on the ipchains script:
# Script Author:        Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
# Modified by Anton Altaparmakov <aia21@cam.ac.uk>:
#  Make it work, getting rid of calls to ipchains and fixing all bugs. 
#  and all options work fine. You also need a fixed iptables-restore 
#  as the one in iptables 1.2 doesn't work. I submitted a patch to the 
#  netfilter-devel@lists.samba.org which fixes it. You can find it here:
#  http://lists.samba.org/pipermail/netfilter-devel/2001-
# config: /etc/sysconfig/iptables

# Source 'em up
. /etc/init.d/functions


if [ ! -x /sbin/iptables ]; then
        exit 0

KERNELMAJ=`uname -r | sed                   -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then
        exit 0
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
        exit 0

start() {
        # don't do squat if we don't have the config file
        if [ -f $IPTABLES_CONFIG ]; then
            echo -n "Applying iptables firewall rules: "
                cat $IPTABLES_CONFIG | /sbin/iptables-restore && \
                    success "Applying iptables firewall rules" || \
                    failure "Applying iptables firewall rules"
            touch /var/lock/subsys/iptables

stop() {
        action "Flushing all chains:" iptables -F && iptables -t nat -F && 
iptables -t mangle -F
        action "Removing user defined chains:" iptables -X
        echo -n "Resetting built-in chains to the default ACCEPT policy:"
        iptables -P INPUT ACCEPT && \
           iptables -P FORWARD ACCEPT && \
           iptables -P OUTPUT ACCEPT && \
           iptables -t nat -P PREROUTING ACCEPT && \
           iptables -t nat -P POSTROUTING ACCEPT && \
           iptables -t nat -P OUTPUT ACCEPT && \
           iptables -t mangle -P PREROUTING ACCEPT && \
           iptables -t mangle -P OUTPUT ACCEPT && \
           success "Resetting built-in chains to the default ACCEPT 
policy" || \
           failure "Resetting built-in chains to the default ACCEPT policy"
        rm -f /var/lock/subsys/iptables

case "$1" in


        # "restart" is really just "start" as this isn't a daemon,
        #  and "start" clears any pre-defined rules anyway.
        #  This is really only here to make those who expect it happy

        [ -e /var/lock/subsys/iptables ] && start

        echo "Table: filter"
        iptables --list
        echo "Table: nat"
        iptables -t nat --list
        echo "Table: mangle"
        iptables -t mangle --list

        echo -n "Changing target policies to DROP: "    
        iptables -P INPUT DROP && \
            iptables -P FORWARD DROP && \
            iptables -P OUTPUT DROP && \
            iptables -t nat -P PREROUTING DROP && \
            iptables -t nat -P POSTROUTING DROP && \
            iptables -t nat -P OUTPUT DROP && \
            iptables -t mangle -P PREROUTING DROP && \
            iptables -t mangle -P OUTPUT DROP && \
            success "Changing target policies to DROP" || \
            failure "Changing target policies to DROP"
        action "Flushing all chains:" iptables -F && iptables -t nat -F && 
iptables -t mangle -F
        action "Removing user defined chains:" iptables -X

        echo -n "Saving current rules to $IPTABLES_CONFIG: "
        /sbin/iptables-save > $IPTABLES_CONFIG  2>/dev/null && \
          success "Saving current rules to $IPTABLES_CONFIG" || \
          failure "Saving current rules to $IPTABLES_CONFIG"

        echo "Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
        exit 1

exit 0
Comment 1 Nils Philippsen 2001-02-04 14:14:07 EST
Created attachment 8941 [details]
Alternative iptables init script which uses success & failure commands
Comment 2 aia21 2001-02-04 15:35:33 EST
Looking at the new attached script: on "start" you are restoring counters 
(iptables-restore -c ...) but on the other hand on "save" you are not saving 
them (no -c). Also on "stop" there is no saving done at all. Wouldn't that mean 
that your counters will starts on the same values every single time when you 
restart the service to some random value when you have last done a iptables-
save -c...?
Comment 3 Nils Philippsen 2001-02-05 12:29:04 EST
I don't know whether we want to save/restore counters at all. So it probably
would be best to just leave the "-c" option out.
Comment 4 Glen Foster 2001-02-05 17:51:11 EST
We (Red Hat) should really try hard to fix this before next release.
Comment 5 Karsten Hopp 2001-02-06 11:02:55 EST
A mixture of both initscripts is now in iptables-1.2.0-7
The iptables-restore from CVS was already included.

Note You need to log in before you can comment on or make changes to this bug.