Bug 53950 - Bad: iptables rules stop working
Summary: Bad: iptables rules stop working
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables
Version: 7.2
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-09-24 03:09 UTC by Richard Allen
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2001-10-24 20:26:13 UTC
Embargoed:

Attachments (Terms of Use)

Description Richard Allen 2001-09-24 03:09:19 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Description of problem:
Adding iptables rules can make other rules fail without warning.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
[root@localhost root]# iptables --version
iptables v1.2.3

[root@localhost root]# uname -a
Linux localhost.localdomain 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 
unknown

[root@localhost root]# cat /etc/redhat-release
Red Hat Linux release 7.2 (Enigma)

# Flush the iptables
[root@localhost root]# iptables -F

# Reject all access to port 25 tcp
[root@localhost root]# iptables -A INPUT -p tcp --syn --dport 25 -j REJECT

# Testing the rule. Connect is refused (normal)
[root@localhost root]# telnet 127.0.0.1 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

# Insert a rule that allows on connection per day to the SMTP port.
[root@localhost root]# iptables -I INPUT -p tcp --dport 25 -m limit --limit
+1/day --limit-burst 1 -j ACCEPT

# The connection is let through because of the limit (again normal).
[root@localhost root]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 localhost.localdomain ESMTP Sendmail 8.11.6/8.11.6; Thu, 20 Sep 2001 
+19:50:12 GMT
quit
221 2.0.0 localhost.localdomain closing connection
Connection closed by foreign host.

# Try again, blocked because of limit (normal)
[root@localhost root]# telnet 127.0.0.1 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

# Insert a rule that allows access to port 21 tcp, nothing to do with port 
25.
[root@localhost root]# iptables -I INPUT -p tcp --dport 21 -j ACCEPT

# Try to connect again to port 25 and it goes through (weird!)
[root@localhost root]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 localhost.localdomain ESMTP Sendmail 8.11.6/8.11.6; Thu, 20 Sep 2001 
+19:51:19 GMT
quit
221 2.0.0 localhost.localdomain closing connection
Connection closed by foreign host.


Actual Results:  Acces to port 25 was granted.

Expected Results:  It should continue to refuse connections to port 25

Additional info:
Comment 1 Richard Allen 2001-10-24 16:24:20 UTC 
This one is getting old and still not assigned to anyone
Comment 2 Michael Schwendt 2001-10-24 20:26:07 UTC 
True, but further connections will be rejected again in accordance with the
limit  of 1/day.

Actually you can even modify your test case a bit and replace the rule that
accepts TCP on port 21 with an instruction that flushes an arbitrary chain in
the filter table. For instance, "iptables -F dummychain" after that one has been
created first. 

Seems that any modification to the filter table resets internal rate counters.
The call to iptc_commit() is involved (it does a system call "setsockopt(sockfd,
TC_IPPROTO, SO_SET_ADD_COUNTERS,....)"). Probably this is intended so modified
filter rules can be tested better.
Comment 3 Bernhard Rosenkraenzer 2001-10-30 11:47:43 UTC 
Just heard back from one of the maintainers, it's indeed intended.
Note You need to log in before you can comment on or make changes to this bug.