Bug 50500 - iptables-save saves --reject-with icmp-host-prohibited as --reject-with tcp-reset
iptables-save saves --reject-with icmp-host-prohibited as --reject-with tcp-r...
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-07-31 14:34 EDT by Nick Simicich
Modified: 2007-04-18 12:35 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-09-28 05:59:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nick Simicich 2001-07-31 14:34:39 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

Description of problem:
The redhat iptables initialization routines depend on iptables-save and 
iptables-restore.  

iptables-save does not save the rules defined correctly.  Specifically, so 
far as I can tell, every instance of 
a rule that contains reject-with icmp-host-prohibited is always changed 
to --reject-with tcp-reset.

This is true even on rules which do not contain -p tcp.

How reproducible:
Always

Steps to Reproduce:
1. Create a ruleset that contains a rule that includes -j REJECT --reject-
with icmp-host-prohibited.  A specific example:
iptables -A INPUT -s 199.74.152.254/32 -j REJECT --reject-with icmp-host-
prohibited
2. iptables -L -v
to verify that the rule was entered correctly.
3. issue iptables-save | less
4. Behold!

Actual Results:  The rule was saved with the clause:
--reject-with tcp-reset

Expected Results:  The rule should have been saved with -j REJECT --reject-
with icmp-host-prohibited

Additional info:

IMHO, this is a security issue.  Before kernel 2.4.3 was released, 
warnings were issued that breakins could occur because iptables 
allowed "RELATED" bugs to be tracked.  Here we have not only this but but 
another bug (which I encountered) where rules savd with iptables-save were 
not restored because of the fact that --log-prefix with a space in the 
string would cause the rule to fail to restore.  This is at least that 
severe - rules will be restored wrong and some rules may not be restored 
at all.  Warnings should once again be issued that iptables should not be 
used.
Comment 1 Bernhard Rosenkraenzer 2001-08-01 09:40:10 EDT
Fixed in 1.2.2-3
Comment 2 Nick Simicich 2001-08-01 11:52:07 EDT
It is good that it is fixed in an upcoming release.  Do you not think that it 
would be worthwhile to issue a warning?
Comment 3 Nick Simicich 2001-08-27 16:09:22 EDT
I'd like to ask that the rawhide modules get promoted to errata and that a 
security errata be released - this is important because the non-rawhide modules 
can silently result in iptables rules not getting reloaded, which could result 
in one's firewall being down after an unwatched reboot.
Comment 4 Klaus Muth 2001-09-28 05:59:52 EDT
iptables-restore does choke on saved rules with -j LOG --log-prefix "anything",
with any argument to --log-prefix containing quotes. The iptables changelog on
netfilter.samba.org marks this problem fixed since version 1.2.1a (March 2001),
so please, please move an updated package to udates and issue a warning.

Note You need to log in before you can comment on or make changes to this bug.