From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Description of problem: Adding iptables rules can make other rules fail without warning. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: [root@localhost root]# iptables --version iptables v1.2.3 [root@localhost root]# uname -a Linux localhost.localdomain 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown [root@localhost root]# cat /etc/redhat-release Red Hat Linux release 7.2 (Enigma) # Flush the iptables [root@localhost root]# iptables -F # Reject all access to port 25 tcp [root@localhost root]# iptables -A INPUT -p tcp --syn --dport 25 -j REJECT # Testing the rule. Connect is refused (normal) [root@localhost root]# telnet 127.0.0.1 25 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused # Insert a rule that allows on connection per day to the SMTP port. [root@localhost root]# iptables -I INPUT -p tcp --dport 25 -m limit --limit +1/day --limit-burst 1 -j ACCEPT # The connection is let through because of the limit (again normal). [root@localhost root]# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 localhost.localdomain ESMTP Sendmail 8.11.6/8.11.6; Thu, 20 Sep 2001 +19:50:12 GMT quit 221 2.0.0 localhost.localdomain closing connection Connection closed by foreign host. # Try again, blocked because of limit (normal) [root@localhost root]# telnet 127.0.0.1 25 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused # Insert a rule that allows access to port 21 tcp, nothing to do with port 25. [root@localhost root]# iptables -I INPUT -p tcp --dport 21 -j ACCEPT # Try to connect again to port 25 and it goes through (weird!) [root@localhost root]# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 localhost.localdomain ESMTP Sendmail 8.11.6/8.11.6; Thu, 20 Sep 2001 +19:51:19 GMT quit 221 2.0.0 localhost.localdomain closing connection Connection closed by foreign host. Actual Results: Acces to port 25 was granted. Expected Results: It should continue to refuse connections to port 25 Additional info:
This one is getting old and still not assigned to anyone
True, but further connections will be rejected again in accordance with the limit of 1/day. Actually you can even modify your test case a bit and replace the rule that accepts TCP on port 21 with an instruction that flushes an arbitrary chain in the filter table. For instance, "iptables -F dummychain" after that one has been created first. Seems that any modification to the filter table resets internal rate counters. The call to iptc_commit() is involved (it does a system call "setsockopt(sockfd, TC_IPPROTO, SO_SET_ADD_COUNTERS,....)"). Probably this is intended so modified filter rules can be tested better.
Just heard back from one of the maintainers, it's indeed intended.