Are established connections interrupted when iptables is restarted?

All of lore.kernel.org
 help / color / mirror / Atom feed

* Are established connections interrupted when iptables is restarted?
@ 2004-12-22 15:06 Deepak Seshadri
  2004-12-22 15:11 ` Gavin Hamill
  2004-12-23  2:13 ` R. DuFresne
  0 siblings, 2 replies; 6+ messages in thread
From: Deepak Seshadri @ 2004-12-22 15:06 UTC (permalink / raw)
  To: netfilter

Hello group,

I make changes in the /etc/sysconfig/iptables file and then do a "service
iptables restart". Would this interrupt the established connections through
the firewall?

Thank you,

Deepak Seshadri

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Are established connections interrupted when iptables is restarted?
  2004-12-22 15:06 Are established connections interrupted when iptables is restarted? Deepak Seshadri
@ 2004-12-22 15:11 ` Gavin Hamill
  2004-12-22 15:17   ` Gavin Hamill
  2004-12-22 17:48   ` Andrew Schulman
  2004-12-23  2:13 ` R. DuFresne
  1 sibling, 2 replies; 6+ messages in thread
From: Gavin Hamill @ 2004-12-22 15:11 UTC (permalink / raw)
  To: netfilter

On Wednesday 22 December 2004 15:06, Deepak Seshadri wrote:
> Hello group,
>
> I make changes in the /etc/sysconfig/iptables file and then do a "service
> iptables restart". Would this interrupt the established connections through
> the firewall?

Provided that 'service iptables restart' does not unload the conntrack module, 
then the established-connections table will not be reloaded - you will likely 
have a second or two of no connectivity while the ruleset is reloaded, 
though.

Cheers,
Gavin.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Are established connections interrupted when iptables is restarted?
  2004-12-22 15:11 ` Gavin Hamill
@ 2004-12-22 15:17   ` Gavin Hamill
  2004-12-22 17:48   ` Andrew Schulman
  1 sibling, 0 replies; 6+ messages in thread
From: Gavin Hamill @ 2004-12-22 15:17 UTC (permalink / raw)
  To: netfilter

On Wednesday 22 December 2004 15:11, Gavin Hamill wrote:

> module, then the established-connections table will not be reloaded - you

Gah, meant to say 'will not be cleared'

Cheers,
Gavin.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Are established connections interrupted when iptables is restarted?
  2004-12-22 15:11 ` Gavin Hamill
  2004-12-22 15:17   ` Gavin Hamill
@ 2004-12-22 17:48   ` Andrew Schulman
  1 sibling, 0 replies; 6+ messages in thread
From: Andrew Schulman @ 2004-12-22 17:48 UTC (permalink / raw)
  To: netfilter

> > I make changes in the /etc/sysconfig/iptables file and then do a "service
> > iptables restart". Would this interrupt the established connections through
> > the firewall?
> 
> Provided that 'service iptables restart' does not unload the conntrack module, 
> then the established-connections table will not be reloaded - you will likely 
> have a second or two of no connectivity while the ruleset is reloaded, 
> though.

Right.  I've done this many times, and never seen any dropped 
connections.  I've even restarted the firewall from a remote ssh 
session, and never had any trouble-- just a short pause in the console 
output.  Of course, that's terrible practice-- if your firewall script 
doesn't finish executing, for whatever reason, then you're hosed until 
you can get back to the console.

-- 
To reply by email, replace "deadspam.com" by "alumni.utexas.net"

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Are established connections interrupted when iptables is restarted?
  2004-12-22 15:06 Are established connections interrupted when iptables is restarted? Deepak Seshadri
  2004-12-22 15:11 ` Gavin Hamill
@ 2004-12-23  2:13 ` R. DuFresne
  2004-12-23  4:37   ` Jason Opperisano
  1 sibling, 1 reply; 6+ messages in thread
From: R. DuFresne @ 2004-12-23  2:13 UTC (permalink / raw)
  To: Deepak Seshadri; +Cc: netfilter

On Wed, 22 Dec 2004, Deepak Seshadri wrote:

> Hello group,
> 
> I make changes in the /etc/sysconfig/iptables file and then do a "service
> iptables restart". Would this interrupt the established connections through
> the firewall?

It can.  with connection tracking and matching on NEW ! syn, with a -j
DROP it certainly will.

Thanks,

Ron DuFresne 
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Are established connections interrupted when iptables is restarted?
  2004-12-23  2:13 ` R. DuFresne
@ 2004-12-23  4:37   ` Jason Opperisano
  0 siblings, 0 replies; 6+ messages in thread
From: Jason Opperisano @ 2004-12-23  4:37 UTC (permalink / raw)
  To: netfilter

On Wed, 2004-12-22 at 21:13, R. DuFresne wrote:
> On Wed, 22 Dec 2004, Deepak Seshadri wrote:
> 
> > Hello group,
> > 
> > I make changes in the /etc/sysconfig/iptables file and then do a "service
> > iptables restart". Would this interrupt the established connections through
> > the firewall?
> 
> It can.  with connection tracking and matching on NEW ! syn, with a -j
> DROP it certainly will.

um--no.  connection tracking begins as soon as the 'ip_conntrack' module
is loaded.  if you:

1) modprobe ip_conntrack

2) establish a bunch of connections through the firewall

3) load a policy that drops "-p tcp ! --syn -m state --state NEW"
packets--your existing connections will be just fine, as they are in the
ESTABLISHED (and likely ASSURED) state.

the previous poster that said "as long as 'service iptables restart'
doesn't unload the ip_conntrack module" was correct.

now--the *real* question is, "does 'service iptables restart' unload
ip_conntrack?"

on FC2 it appears the answer is:  yes. looking in /etc/init.d/iptables,
a 'restart' performs:

        stop
        start

the 'stop' function performs:

        if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
          echo -n $"Unloading $IPTABLES modules: " 
          <snip>

so--setting:
  IPTABLES_MODULES_UNLOAD=no

in /etc/sysconfig/iptables (it defaults to 'yes') should get us to a
state where 'service iptables restart' does not unload the ip_conntrack
module.

HTH...

-j

--
"Ah, beer, my one weakness. My achilles heel, if you will."
	--The Simpsons

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2004-12-23  4:37 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-22 15:06 Are established connections interrupted when iptables is restarted? Deepak Seshadri
2004-12-22 15:11 ` Gavin Hamill
2004-12-22 15:17   ` Gavin Hamill
2004-12-22 17:48   ` Andrew Schulman
2004-12-23  2:13 ` R. DuFresne
2004-12-23  4:37   ` Jason Opperisano

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.