Bug 50500 - iptables-save saves --reject-with icmp-host-prohibited as --reject-with tcp-reset
Summary: iptables-save saves --reject-with icmp-host-prohibited as --reject-with tcp-r...
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-07-31 18:34 UTC by Nick Simicich
Modified: 2007-04-18 16:35 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-09-28 09:59:57 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:144 normal SHIPPED_LIVE : Updated iptables packages are available 2001-10-30 05:00:00 UTC

Description Nick Simicich 2001-07-31 18:34:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

Description of problem:
The redhat iptables initialization routines depend on iptables-save and 

iptables-save does not save the rules defined correctly.  Specifically, so 
far as I can tell, every instance of 
a rule that contains reject-with icmp-host-prohibited is always changed 
to --reject-with tcp-reset.

This is true even on rules which do not contain -p tcp.

How reproducible:

Steps to Reproduce:
1. Create a ruleset that contains a rule that includes -j REJECT --reject-
with icmp-host-prohibited.  A specific example:
iptables -A INPUT -s -j REJECT --reject-with icmp-host-
2. iptables -L -v
to verify that the rule was entered correctly.
3. issue iptables-save | less
4. Behold!

Actual Results:  The rule was saved with the clause:
--reject-with tcp-reset

Expected Results:  The rule should have been saved with -j REJECT --reject-
with icmp-host-prohibited

Additional info:

IMHO, this is a security issue.  Before kernel 2.4.3 was released, 
warnings were issued that breakins could occur because iptables 
allowed "RELATED" bugs to be tracked.  Here we have not only this but but 
another bug (which I encountered) where rules savd with iptables-save were 
not restored because of the fact that --log-prefix with a space in the 
string would cause the rule to fail to restore.  This is at least that 
severe - rules will be restored wrong and some rules may not be restored 
at all.  Warnings should once again be issued that iptables should not be 

Comment 1 Bernhard Rosenkraenzer 2001-08-01 13:40:10 UTC
Fixed in 1.2.2-3

Comment 2 Nick Simicich 2001-08-01 15:52:07 UTC
It is good that it is fixed in an upcoming release.  Do you not think that it 
would be worthwhile to issue a warning?

Comment 3 Nick Simicich 2001-08-27 20:09:22 UTC
I'd like to ask that the rawhide modules get promoted to errata and that a 
security errata be released - this is important because the non-rawhide modules 
can silently result in iptables rules not getting reloaded, which could result 
in one's firewall being down after an unwatched reboot.

Comment 4 Klaus Muth 2001-09-28 09:59:52 UTC
iptables-restore does choke on saved rules with -j LOG --log-prefix "anything",
with any argument to --log-prefix containing quotes. The iptables changelog on
netfilter.samba.org marks this problem fixed since version 1.2.1a (March 2001),
so please, please move an updated package to udates and issue a warning.

Note You need to log in before you can comment on or make changes to this bug.