Why do you need to restart iptables? iptables is *not* a daemon-based service. It's always on in the kernel. All invocation of the iptables command act *immediately* Rgds, On 2011-08-24, Adishesh M <adisheshsm@xxxxxxxxx> wrote: > Hi, > When we insert below rules into the ip tables, ssh sessions are > hanging ( infact all tcp connection are terminated). > > “iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m > state --state NEW -j DROP”. > > what is the problem with this above rule. we used this rule to drop > bad tcp packets. when firewall is restarted using "service iptables > restart", ssh sessions are hanging. > > > Rule used for testing. > > ssh session hangs > <set 1> > -------------------------- > iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m > state --state NEW -j DROP > iptables -A INPUT -d 10.255.13.157 -m state --state > RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT > iptables -A INPUT -d 10.255.13.157 -j DROP > > > ssh session hangs > <set 2> > ---------------------------- > iptables -N TEST_LAN_1 > iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m > state --state NEW -j DROP > iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1 > iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state > RELATED,ESTABLISHED -j ACCEPT > iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT > iptables -A TEST_LAN_1 -d 10.255.13.157 -j DROP > > > > ssh session does not hang > <set 3> > --------------------------------------- > iptables -N TEST_LAN_1 > iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1 > iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state > RELATED,ESTABLISHED -j ACCEPT > iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT > iptables -A TEST_LAN_1 -d 10.255.13.157 -j DROP > > > ssh session does not hang > <set 4> > --------------------------------------- > iptables -A INPUT -d 10.255.13.157 -m state --state > RELATED,ESTABLISHED -j ACCEPT > iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT > iptables -A INPUT -d 10.255.13.157 -j DROP > > > steps to reproduce the this issue > ----------------------------------------------- > iptables -F > iptables -X > <Insert any one set of rules from set 1 or set 2 > > service ip6tables stop > service iptables save > iptables -L -n > service iptables restart > iptables -L -n > > Thanks and regards, > Adishesh > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- -- Pandu E Poluan - IT Optimizer My website: http://pandu.poluan.info/ -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
