in /etc/sysconfig/iptables-config change the configuration to:
IPTABLES_MODULES_UNLOAD="no"
I was told that fixes the problem
It probably will, since he was hanging on module unload. It will also preserve connection tracking information. However, even with that option set, "iptables restart" will still flush all rules, set default policy to accept, and than start firewall from scratch (so you will be wide open for that small time window, enough for a packet or two to pass by, which is sometimes all it takes to brake into the machine). It is usually better to simply load new rules. And you can't use "iptables start" either, because it is doing the same thing (basically, "start" and "restart" are effectivly the same, with "restart" having an option to save fw rules before stopping the firewall).
I've raised some concerns some time ago on bugzilla about iptables script and proposed (if I remember correctly) that either "start" shouldn't be unloading firewall rules, or that new option for "restart" be implemented (that would only load new rules). I was told that there's no value in doing that since time window is too small (not really, if firewall is under attack from inside and (inside) attacker can guess aprox. time when firewall is to be restarted), and to modify my local iptables scripts if I don't like the way it is currently done.
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
