From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) Description of problem: The redhat iptables initialization routines depend on iptables-save and iptables-restore. iptables-save does not save the rules defined correctly. Specifically, so far as I can tell, every instance of a rule that contains reject-with icmp-host-prohibited is always changed to --reject-with tcp-reset. This is true even on rules which do not contain -p tcp. How reproducible: Always Steps to Reproduce: 1. Create a ruleset that contains a rule that includes -j REJECT --reject- with icmp-host-prohibited. A specific example: iptables -A INPUT -s 199.74.152.254/32 -j REJECT --reject-with icmp-host- prohibited 2. iptables -L -v to verify that the rule was entered correctly. 3. issue iptables-save | less 4. Behold! Actual Results: The rule was saved with the clause: --reject-with tcp-reset Expected Results: The rule should have been saved with -j REJECT --reject- with icmp-host-prohibited Additional info: IMHO, this is a security issue. Before kernel 2.4.3 was released, warnings were issued that breakins could occur because iptables allowed "RELATED" bugs to be tracked. Here we have not only this but but another bug (which I encountered) where rules savd with iptables-save were not restored because of the fact that --log-prefix with a space in the string would cause the rule to fail to restore. This is at least that severe - rules will be restored wrong and some rules may not be restored at all. Warnings should once again be issued that iptables should not be used.
Fixed in 1.2.2-3
It is good that it is fixed in an upcoming release. Do you not think that it would be worthwhile to issue a warning?
I'd like to ask that the rawhide modules get promoted to errata and that a security errata be released - this is important because the non-rawhide modules can silently result in iptables rules not getting reloaded, which could result in one's firewall being down after an unwatched reboot.
iptables-restore does choke on saved rules with -j LOG --log-prefix "anything", with any argument to --log-prefix containing quotes. The iptables changelog on netfilter.samba.org marks this problem fixed since version 1.2.1a (March 2001), so please, please move an updated package to udates and issue a warning.