Bug 91560 - iptables-1.2.6a won't save rule with --icmp-type
iptables-1.2.6a won't save rule with --icmp-type
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
8.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-05-24 01:38 EDT by Christopher Gahlon
Modified: 2007-04-18 12:53 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-07-03 05:38:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christopher Gahlon 2003-05-24 01:38:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
When I add this rule to /etc/sysconfig/iptables to allow echo requests from a
specific IP address like so:
-A RH-Lokkit-0-50-INPUT -p icmp -i eth0 -s X.X.X.X --icmp-type echo-request -j
ACCEPT

I get the message:
Applying iptables firewall rules: iptables-restore v1.2.6a: Unknown arg
`--icmp-type'

using -j DROP or -j REJECT work just find.

Version-Release number of selected component (if applicable):
iptables-1.2.6a-2

How reproducible:
Always

Steps to Reproduce:
1. Add rule '-A RH-Lokkit-0-50-INPUT -p icmp -i eth0 -s 10.0.0.1 --icmp-type
echo-request -j ACCEPT' to the beginning of /etc/sysconfig/iptables 
(works with or without specific source IP)

2. /etc/init.d/iptables/restart

Actual Results:  All chains are flushed and the server/workstation is left
unprotected.

It produced this output:
Flushing all current rules and user defined chains:        [  OK  ]
Clearing all current rules and user defined chains:        [  OK  ]
Applying iptables firewall rules: iptables-restore v1.2.6a: Unknown arg
`--icmp-type'
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
                                                           [FAILED]


Expected Results:
Flushing all current rules and user defined chains:        [  OK  ]
Clearing all current rules and user defined chains:        [  OK  ]
Applying iptables firewall rules:                          [  OK  ]


Additional info:

I upgraded the RH8 box with the iptables-1.2.7a-2 package that comes with RH9) 
It works fine and solved the problem.
Comment 1 Christopher Gahlon 2003-06-18 11:22:25 EDT
What additional information can I provide? 
Comment 2 Thomas Woerner 2003-07-03 05:38:40 EDT
Fixed in the new 1.2.8-4.x version. This version has a new startup script and an
additional config file.


/etc/sysconfig/iptables-config:
> # Additional iptables modules (nat helper)
> # Default: -empty-
> #IPTABLES_MODULES="ip_nat_ftp"
> 
> # Save current firewall rules on stop.
> # Value: yes|no,  default: no
> #IPTABLES_SAVE_ON_STOP="no"
> 
> # Save current firewall rules on restart.
> # Value: yes|no,  default: no
> #IPTABLES_SAVE_ON_RESTART="no"
> 
> # Save rule counter.
> # Value: yes|no,  default: yes
> #IPTABLES_SAVE_COUNTER="yes"
> 
> # Numeric status output
> # Value: yes|no,  default: no
> #IPTABLES_STATUS_NUMERIC="no"


RPM packages for 7.x:
http://people.redhat.com/twoerner/RPMS/7.x/iptables-1.2.8-4.73.1.i386.rpm
http://people.redhat.com/twoerner/RPMS/7.x/iptables-ipv6-1.2.8-4.73.1.i386.rpm
http://people.redhat.com/twoerner/SRPMS/iptables-1.2.8-4.73.1.src.rpm

RPM packages for 8.0:
http://people.redhat.com/twoerner/RPMS/8.0/iptables-1.2.8-4.80.1.i386.rpm
http://people.redhat.com/twoerner/RPMS/8.0/iptables-ipv6-1.2.8-4.80.1.i386.rpm
http://people.redhat.com/twoerner/SRPMS/iptables-1.2.8-4.80.1.src.rpm

RPM packages for 9:
http://people.redhat.com/twoerner/RPMS/9/iptables-1.2.8-4.90.1.i386.rpm
http://people.redhat.com/twoerner/RPMS/9/iptables-ipv6-1.2.8-4.90.1.i386.rpm
http://people.redhat.com/twoerner/SRPMS/iptables-1.2.8-4.90.1.src.rpm

Note You need to log in before you can comment on or make changes to this bug.