Red Hat Bugzilla – Bug 50500
iptables-save saves --reject-with icmp-host-prohibited as --reject-with tcp-reset
Last modified: 2007-04-18 12:35:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
Description of problem:
The redhat iptables initialization routines depend on iptables-save and
iptables-save does not save the rules defined correctly. Specifically, so
far as I can tell, every instance of
a rule that contains reject-with icmp-host-prohibited is always changed
to --reject-with tcp-reset.
This is true even on rules which do not contain -p tcp.
Steps to Reproduce:
1. Create a ruleset that contains a rule that includes -j REJECT --reject-
with icmp-host-prohibited. A specific example:
iptables -A INPUT -s 18.104.22.168/32 -j REJECT --reject-with icmp-host-
2. iptables -L -v
to verify that the rule was entered correctly.
3. issue iptables-save | less
Actual Results: The rule was saved with the clause:
Expected Results: The rule should have been saved with -j REJECT --reject-
IMHO, this is a security issue. Before kernel 2.4.3 was released,
warnings were issued that breakins could occur because iptables
allowed "RELATED" bugs to be tracked. Here we have not only this but but
another bug (which I encountered) where rules savd with iptables-save were
not restored because of the fact that --log-prefix with a space in the
string would cause the rule to fail to restore. This is at least that
severe - rules will be restored wrong and some rules may not be restored
at all. Warnings should once again be issued that iptables should not be
Fixed in 1.2.2-3
It is good that it is fixed in an upcoming release. Do you not think that it
would be worthwhile to issue a warning?
I'd like to ask that the rawhide modules get promoted to errata and that a
security errata be released - this is important because the non-rawhide modules
can silently result in iptables rules not getting reloaded, which could result
in one's firewall being down after an unwatched reboot.
iptables-restore does choke on saved rules with -j LOG --log-prefix "anything",
with any argument to --log-prefix containing quotes. The iptables changelog on
netfilter.samba.org marks this problem fixed since version 1.2.1a (March 2001),
so please, please move an updated package to udates and issue a warning.