Bug 524594 - /etc/init.d/iptables status doesn't work properly
Summary: /etc/init.d/iptables status doesn't work properly
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: 11
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2009-09-21 12:18 UTC by Aurélien Cedeyn
Modified: 2009-11-12 14:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-11-11 13:04:52 UTC

Attachments (Terms of Use)

Description Aurélien Cedeyn 2009-09-21 12:18:08 UTC
Description of problem:


When I ask if the iptables service if running or not (service iptables status), it says that it is, but no filters are present.

I am using puppet and I ask it to stop the iptables service so every time it says that iptables is running but it's not really (no rules are defined).

Version-Release number of selected component (if applicable):
[root@fortoy83 ~]# uname -a
Linux fortoy83 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

How reproducible:

[root ~]# /etc/init.d/iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]

[root ~]# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Expected results:
[root ~]# /etc/init.d/iptables status
iptables: Firewall is not running.

Additional info:
[root ~]# grep -i nf_conntrack= /boot/config-

It seems that because the netfilter is not a module, the table filter exists even if no configuration is made.
I think there is 2 solutions :

1- correct the init script to have a good behaviour
2- compile nf_filter as a module


Comment 1 Thomas Woerner 2009-11-11 13:04:52 UTC
service iptables status is reporting that there is a firewall active. The firewall does not contain any rules, and the policy is accept, but the netfilter parts in the kernel are active, therefore the script has to report that a firewall is active.

service iptables status is reporting a firewall even if it contains no rules and this has been the case since it was created. The service has to report an empty firewall. Please think of an empty firewall with the policy drop in a chain.

Closing as not a bug.

Comment 2 Aurélien Cedeyn 2009-11-12 14:07:19 UTC
I understand that some people needs to have iptables active on their systems. But if I want to disable it, I need to rebuild a kernel...
I think that this solution is not really good.

It will be easier to have the nf_filter build as module and NOT compiled directly in the kernel.

Now, when I stop the iptables service, the status command should say "I am not running" but it says "I am running"... There is some incoherency here don't you think ?

I think the iptables init script should unload the nf_filter module to ensure that this service is stopped (but this not possible right now because nf_filter is built inside the kernel).



Note You need to log in before you can comment on or make changes to this bug.