On Wed, 2005-02-23 at 11:17 -0500, Ian P. Thomas wrote:
> On Wed, 2005-02-23 at 08:35 -0600, Aleksandar Milivojevic wrote:
> > Bernd Radinger wrote:
> > > in /etc/sysconfig/iptables-config change the configuration to:
> > >
> > > IPTABLES_MODULES_UNLOAD="no"
> > >
> > > I was told that fixes the problem
> >
> > It probably will, since he was hanging on module unload. It will also
> > preserve connection tracking information. However, even with that
> > option set, "iptables restart" will still flush all rules, set default
> > policy to accept, and than start firewall from scratch (so you will be
> > wide open for that small time window, enough for a packet or two to pass
> > by, which is sometimes all it takes to brake into the machine). It is
> > usually better to simply load new rules. And you can't use "iptables
> > start" either, because it is doing the same thing (basically, "start"
> > and "restart" are effectivly the same, with "restart" having an option
> > to save fw rules before stopping the firewall).
> >
> > I've raised some concerns some time ago on bugzilla about iptables
> > script and proposed (if I remember correctly) that either "start"
> > shouldn't be unloading firewall rules, or that new option for "restart"
> > be implemented (that would only load new rules). I was told that
> > there's no value in doing that since time window is too small (not
> > really, if firewall is under attack from inside and (inside) attacker
> > can guess aprox. time when firewall is to be restarted), and to modify
> > my local iptables scripts if I don't like the way it is currently done.
>
> I have to agree with you here. I think there are a few problems with
> the current script the way it is. The first, being setting the policy
> to ACCEPT when 'restart' is called through the call to 'stop'. I'm
> going to change the procedures executed when the 'restart' case is
> executed from 'save', 'stop', 'start', to 'save', 'restart'. Of course
> I'll have to write 'restart', but that doesn't seem to hard.
>
> Ideally, a restart should preserve existing connections, while denying
> all other packets during the brief amount of time in which the rule set
> is being reloaded. I'll post my addition to the list when I finish it.
>
>
> Ian
>
Actually, what you are describing is normally reserved for "reload", not
"restart". "restart" is generally for a stop and start - which in the
context of iptables seems to be doing what is expected, though, perhaps,
not what is desired.
So here is a patch file to add a "reload" option to the iptables script
file in /etc/rc.d/init.d/.... Your mileage may vary, but it follows the
earlier recommendation of doing an iptables-restore.... To do what you
were looking for earlier, do an "service iptables reload"
It seemed to work on my machine (FC3), but your mileage may vary....
HTH,
--Rob
--- iptables 2004-09-17 09:44:30.000000000 -0400
+++ iptables.new 2005-02-23 12:59:56.288510594 -0500
@@ -280,6 +280,22 @@
start
}
+reload() {
+ echo -n $"Applying $IPTABLES firewall rules: "
+
+ OPT=
+ [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
+
+ $IPTABLES-restore $OPT $IPTABLES_DATA
+ if [ $? -eq 0 ]; then
+ success; echo
+ else
+ failure; echo; return 1
+ fi
+
+ return 0
+}
+
case "$1" in
start)
stop
@@ -298,6 +314,10 @@
condrestart)
[ -e "$VAR_SUBSYS_IPTABLES" ] && restart
;;
+ reload)
+ [ -e "$VAR_SUBSYS_IPTABLES" ] && reload
+ RETVAL=$?
+ ;;
status)
status
RETVAL=$?
@@ -312,7 +332,7 @@
RETVAL=$?
;;
*)
- echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
+ echo $"Usage: $0 {start|stop|restart|condrestart|reload|status|panic|save}"
exit 1
;;
esac
