From: "Tyler J. Wagner" <tyler@tolaris.com>
To: Adishesh M <adisheshsm@gmail.com>
Cc: netfilter@vger.kernel.org, Pandu Poluan <pandu@poluan.info>
Subject: Re: ssh session are hanging when firewall is restarted
Date: Thu, 25 Aug 2011 11:51:10 +0100 [thread overview]
Message-ID: <4E56291E.6000903@tolaris.com> (raw)
In-Reply-To: <CA+f1OFpKdobWsnTrf3QhAJPGp=4GvDDAiAwg3x2Zi_Le_N0u6Q@mail.gmail.com>
Adishesh,
This is not a netfilter issue. This is an issue with RHEL 6.1, and the fact
that it is unloading and reloading the netfilter module when you invoke
"restart".
Instead, just do this:
iptables-restore /etc/sysconfig/iptables
Regards,
Tyler
On 2011-08-25 11:34, Adishesh M wrote:
> Hi,
>
> I was doing other tests and come cross this issue.
> we have not observed this issue on fedora 14. Only in RHEL 6.1 this
> issue is observed.
> Solution for this issue may be available in latest netfiler versions
> but not yet integrated in RHEL 6.
>
>
> Thanks and regards,
> Adishesh
>
>
> On Thu, Aug 25, 2011 at 3:45 PM, Pandu Poluan <pandu@poluan.info> wrote:
>> Why do you need to restart iptables?
>>
>> iptables is *not* a daemon-based service. It's always on in the
>> kernel. All invocation of the iptables command act *immediately*
>>
>> Rgds,
>>
>>
>> On 2011-08-24, Adishesh M <adisheshsm@gmail.com> wrote:
>>> Hi,
>>> When we insert below rules into the ip tables, ssh sessions are
>>> hanging ( infact all tcp connection are terminated).
>>>
>>> “iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
>>> state --state NEW -j DROP”.
>>>
>>> what is the problem with this above rule. we used this rule to drop
>>> bad tcp packets. when firewall is restarted using "service iptables
>>> restart", ssh sessions are hanging.
>>>
>>>
>>> Rule used for testing.
>>>
>>> ssh session hangs
>>> <set 1>
>>> --------------------------
>>> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
>>> state --state NEW -j DROP
>>> iptables -A INPUT -d 10.255.13.157 -m state --state
>>> RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>>> iptables -A INPUT -d 10.255.13.157 -j DROP
>>>
>>>
>>> ssh session hangs
>>> <set 2>
>>> ----------------------------
>>> iptables -N TEST_LAN_1
>>> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m
>>> state --state NEW -j DROP
>>> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
>>> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
>>> RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>>> iptables -A TEST_LAN_1 -d 10.255.13.157 -j DROP
>>>
>>>
>>>
>>> ssh session does not hang
>>> <set 3>
>>> ---------------------------------------
>>> iptables -N TEST_LAN_1
>>> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1
>>> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state
>>> RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>>> iptables -A TEST_LAN_1 -d 10.255.13.157 -j DROP
>>>
>>>
>>> ssh session does not hang
>>> <set 4>
>>> ---------------------------------------
>>> iptables -A INPUT -d 10.255.13.157 -m state --state
>>> RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT
>>> iptables -A INPUT -d 10.255.13.157 -j DROP
>>>
>>>
>>> steps to reproduce the this issue
>>> -----------------------------------------------
>>> iptables -F
>>> iptables -X
>>> <Insert any one set of rules from set 1 or set 2 >
>>> service ip6tables stop
>>> service iptables save
>>> iptables -L -n
>>> service iptables restart
>>> iptables -L -n
>>>
>>> Thanks and regards,
>>> Adishesh
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>
>>
>>
>> --
>> --
>> Pandu E Poluan - IT Optimizer
>> My website: http://pandu.poluan.info/
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
"The bourgeoisie are hated from both ends: by the proles, because they
have all the money, and by the intelligentsia, because of their
tendency to spend it on lawn ornaments."
-- Neal Stephenson, Cryptonomicon
prev parent reply other threads:[~2011-08-25 10:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-24 13:42 ssh session are hanging when firewall is restarted Adishesh M
2011-08-25 5:41 ` Adishesh M
2011-08-25 6:04 ` Grant Taylor
2011-08-25 7:28 ` Tyler J. Wagner
2011-08-25 8:06 ` Jan Engelhardt
2011-08-25 10:15 ` Pandu Poluan
2011-08-25 10:34 ` Adishesh M
2011-08-25 10:51 ` Tyler J. Wagner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E56291E.6000903@tolaris.com \
--to=tyler@tolaris.com \
--cc=adisheshsm@gmail.com \
--cc=netfilter@vger.kernel.org \
--cc=pandu@poluan.info \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox