Bug 848453 - Default iptables configuration causes network utilities to lie
Default iptables configuration causes network utilities to lie
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: system-config-firewall (Show other bugs)
17
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-15 12:16 EDT by Ulrik Haugen
Modified: 2013-08-01 08:54 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-01 08:54:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ulrik Haugen 2012-08-15 12:16:17 EDT
Description of problem:

On booting the Fedora 17 live distribution /etc/sysconfig/iptables has the following as the last entries for INPUT and FORWARD:

    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited

This causes most network utilities to lie to the user when requested to connect to the machine.


Version-Release number of selected component (if applicable):

/etc/sysconfig/iptables does not belong to any package as far as i can tell but this behaviour has been around since at least whatever rhel/centos 5 and 6 were forked from.


How reproducible:

Always.


Steps to Reproduce:
1. write the fedora 17 live distribution to a usb stick
2. boot some machine from that usbstick
3. configure networking on that machine
4. ping the machine from some other host on the network
5. try to connect to the smtp port on the machine with telnet from some other host on the network


Actual results:

Ping reports the machine is up but telnet fails with a misleading error message:

% ping 130.236.221.229
PING 130.236.221.229 (130.236.221.229) 56(84) bytes of data.
64 bytes from 130.236.221.229: icmp_req=1 ttl=59 time=408 ms
64 bytes from 130.236.221.229: icmp_req=2 ttl=59 time=154 ms
^C
--- 130.236.221.229 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 154.099/281.336/408.573/127.237 ms
% telnet 130.236.221.229 smtp
Trying 130.236.221.229...
telnet: Unable to connect to remote host: No route to host
%


Expected results:

I expected telnet to fail with an error message that suggests i look into the machine i'm trying to access rather than the network between the host running telnet and that machine; "telnet: Unable to connect to remote host: Connection refused" or something there abouts.


Additional info:

Simply removing "--reject-with icmp-host-prohibited" from /etc/sysconfig/iptables and calling 'service iptables restart' solves this problem for me.
Comment 1 Bill Nottingham 2012-08-15 12:53:13 EDT
As stated; this has been the default behavior of the firewall roughly since it was added. Assigning to s-c-firewall, but I suspect this is unlikely to be changed.
Comment 2 Fedora End Of Life 2013-07-04 00:10:27 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 3 Fedora End Of Life 2013-08-01 08:54:18 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.