Hi, I was doing other tests and come cross this issue. we have not observed this issue on fedora 14. Only in RHEL 6.1 this issue is observed. Solution for this issue may be available in latest netfiler versions but not yet integrated in RHEL 6. Thanks and regards, Adishesh On Thu, Aug 25, 2011 at 3:45 PM, Pandu Poluan <pandu@xxxxxxxxxxx> wrote: > Why do you need to restart iptables? > > iptables is *not* a daemon-based service. It's always on in the > kernel. All invocation of the iptables command act *immediately* > > Rgds, > > > On 2011-08-24, Adishesh M <adisheshsm@xxxxxxxxx> wrote: >> Hi, >> When we insert below rules into the ip tables, ssh sessions are >> hanging ( infact all tcp connection are terminated). >> >> “iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m >> state --state NEW -j DROP”. >> >> what is the problem with this above rule. we used this rule to drop >> bad tcp packets. when firewall is restarted using "service iptables >> restart", ssh sessions are hanging. >> >> >> Rule used for testing. >> >> ssh session hangs >> <set 1> >> -------------------------- >> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m >> state --state NEW -j DROP >> iptables -A INPUT -d 10.255.13.157 -m state --state >> RELATED,ESTABLISHED -j ACCEPT >> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT >> iptables -A INPUT -d 10.255.13.157 -j DROP >> >> >> ssh session hangs >> <set 2> >> ---------------------------- >> iptables -N TEST_LAN_1 >> iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m >> state --state NEW -j DROP >> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1 >> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state >> RELATED,ESTABLISHED -j ACCEPT >> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT >> iptables -A TEST_LAN_1 -d 10.255.13.157 -j DROP >> >> >> >> ssh session does not hang >> <set 3> >> --------------------------------------- >> iptables -N TEST_LAN_1 >> iptables -A INPUT -d 10.255.13.157 -j TEST_LAN_1 >> iptables -A TEST_LAN_1 -d 10.255.13.157 -m state --state >> RELATED,ESTABLISHED -j ACCEPT >> iptables -A TEST_LAN_1 -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT >> iptables -A TEST_LAN_1 -d 10.255.13.157 -j DROP >> >> >> ssh session does not hang >> <set 4> >> --------------------------------------- >> iptables -A INPUT -d 10.255.13.157 -m state --state >> RELATED,ESTABLISHED -j ACCEPT >> iptables -A INPUT -d 10.255.13.157 -p tcp -m tcp --dport 22 -j ACCEPT >> iptables -A INPUT -d 10.255.13.157 -j DROP >> >> >> steps to reproduce the this issue >> ----------------------------------------------- >> iptables -F >> iptables -X >> <Insert any one set of rules from set 1 or set 2 > >> service ip6tables stop >> service iptables save >> iptables -L -n >> service iptables restart >> iptables -L -n >> >> Thanks and regards, >> Adishesh >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> > > > -- > -- > Pandu E Poluan - IT Optimizer > My website: http://pandu.poluan.info/ > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
