Bug 53950 - Bad: iptables rules stop working
Bad: iptables rules stop working
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
7.2
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-09-23 23:09 EDT by Richard Allen
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-10-24 16:26:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Richard Allen 2001-09-23 23:09:19 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)

Description of problem:
Adding iptables rules can make other rules fail without warning.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
[root@localhost root]# iptables --version
iptables v1.2.3

[root@localhost root]# uname -a
Linux localhost.localdomain 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 
unknown

[root@localhost root]# cat /etc/redhat-release
Red Hat Linux release 7.2 (Enigma)

# Flush the iptables
[root@localhost root]# iptables -F

# Reject all access to port 25 tcp
[root@localhost root]# iptables -A INPUT -p tcp --syn --dport 25 -j REJECT

# Testing the rule. Connect is refused (normal)
[root@localhost root]# telnet 127.0.0.1 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

# Insert a rule that allows on connection per day to the SMTP port.
[root@localhost root]# iptables -I INPUT -p tcp --dport 25 -m limit --limit
+1/day --limit-burst 1 -j ACCEPT

# The connection is let through because of the limit (again normal).
[root@localhost root]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 localhost.localdomain ESMTP Sendmail 8.11.6/8.11.6; Thu, 20 Sep 2001 
+19:50:12 GMT
quit
221 2.0.0 localhost.localdomain closing connection
Connection closed by foreign host.

# Try again, blocked because of limit (normal)
[root@localhost root]# telnet 127.0.0.1 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

# Insert a rule that allows access to port 21 tcp, nothing to do with port 
25.
[root@localhost root]# iptables -I INPUT -p tcp --dport 21 -j ACCEPT

# Try to connect again to port 25 and it goes through (weird!)
[root@localhost root]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 localhost.localdomain ESMTP Sendmail 8.11.6/8.11.6; Thu, 20 Sep 2001 
+19:51:19 GMT
quit
221 2.0.0 localhost.localdomain closing connection
Connection closed by foreign host.


Actual Results:  Acces to port 25 was granted.

Expected Results:  It should continue to refuse connections to port 25

Additional info:
Comment 1 Richard Allen 2001-10-24 12:24:20 EDT
This one is getting old and still not assigned to anyone
Comment 2 Michael Schwendt 2001-10-24 16:26:07 EDT
True, but further connections will be rejected again in accordance with the
limit  of 1/day.

Actually you can even modify your test case a bit and replace the rule that
accepts TCP on port 21 with an instruction that flushes an arbitrary chain in
the filter table. For instance, "iptables -F dummychain" after that one has been
created first. 

Seems that any modification to the filter table resets internal rate counters.
The call to iptc_commit() is involved (it does a system call "setsockopt(sockfd,
TC_IPPROTO, SO_SET_ADD_COUNTERS,....)"). Probably this is intended so modified
filter rules can be tested better.
Comment 3 Bernhard Rosenkraenzer 2001-10-30 06:47:43 EST
Just heard back from one of the maintainers, it's indeed intended.

Note You need to log in before you can comment on or make changes to this bug.