This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 75723 - Resetting built-in chains to the default ACCEPT policy do not include all the chains from 'mangle' table
Resetting built-in chains to the default ACCEPT policy do not include all the...
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
7.3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: wdovlrrw
Ben Levenson
http://prawo.uni.wroc.pl/~konrad/ipta...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-10-11 11:31 EDT by Konrad Zak
Modified: 2007-04-18 12:47 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-01-13 16:48:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
fixed iptables starting script (5.54 KB, text/plain)
2002-10-11 11:44 EDT, Konrad Zak
no flags Details

  None (edit)
Description Konrad Zak 2002-10-11 11:31:05 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.1) Gecko/20020826

Description of problem:
Resetting built-in chains to the default ACCEPT policy with 'service iptables
stop' causes 3 of 5 chains from 'mangle' table to stay in previous set default
policy, like i.e. DROP.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.iptables -t mangle -P INPUT DROP
2.iptables -t mangle -P FORWARD DROP
3.iptables -t mangle -P POSTROUTING DROP
4.service iptables stop
5.iptables -t mangle -L
	

Actual Results:  3 of 5 built-in chains in 'mangle' table do not get back to
default ACCEPT policy when stopping iptables service. 

Expected Results:  'mangle' table built-in chains default policy should be set
to ACCEPT in /etc/init.d/iptables. I modified /etc/init.d/iptables script to
resolve problem. I put link to fixed script in url field of bug form.

Additional info:

the same applies to ip6tables (iptables-ipv6 rpm package).
under file name ip6tables instead of iptables in url I provided you'll find
fixed /etc/init.d/ip6tables script.
Comment 1 Konrad Zak 2002-10-11 11:44:20 EDT
Created attachment 80004 [details]
fixed iptables starting script
Comment 2 Michael Schwendt 2002-10-20 13:02:47 EDT
Red Hat Linux 8.0 is affected, too.

--- iptables.orig       Wed Aug  7 16:34:38 2002
+++ iptables    Sun Oct 20 18:59:52 2002
@@ -117,7 +117,10 @@
           iftable nat -P POSTROUTING ACCEPT && \
           iftable nat -P OUTPUT ACCEPT && \
            iftable mangle -P PREROUTING ACCEPT && \
+           iftable mangle -P POSTROUTING ACCEPT && \
+           iftable mangle -P INPUT ACCEPT && \
            iftable mangle -P OUTPUT ACCEPT && \
+           iftable mangle -P FORWARD ACCEPT && \
           success || \
           failure 
        echo
Comment 3 Michael Schwendt 2002-12-24 16:02:57 EST
While updating my iptables packages for Psyche and Valhalla, I added patched
iptables initscripts to bug #76367.
Comment 4 Bill Nottingham 2003-01-13 16:48:57 EST
fixed in iptables-1.2.7a-1.

Note You need to log in before you can comment on or make changes to this bug.