On December 7, 2004 01:45 pm, Nathaniel Hall wrote: > I am running an RHAS3 firewall with IPTables. When I restart IPTables, > I get kicked out of my SSH session and everybody around campus gets > kicked out of telnet. Once I have been kicked out, I cannot re-login > via SSH. > > When I get to the local console of the firewall, I am able to login with > no prob and restart IPTables with all succeeds and everything goes back > to normal. I took a look at /var/log/messages and here is what I get: > > /Start of IPTables restart/ > Dec 7 14:58:44 cs-fw iptables: succeeded > Dec 7 14:58:44 cs-fw last message repeated 2 times > Dec 7 14:58:44 cs-fw sshd(pam_unix)[21325]: session closed for user > root > Dec 7 15:03:29 cs-fw login(pam_unix)[16534]: session opened for > user root by LOGIN(uid=0) > Dec 7 15:03:29 cs-fw -- root[16534]: ROOT LOGIN ON tty1 > Dec 7 15:03:32 cs-fw kernel: ip_tables: (C) 2000-2002 Netfilter > core team > Dec 7 15:03:32 cs-fw kernel: ip_conntrack version 2.1 (8191 > buckets, 65528 max) - 304 bytes per conntrack > Dec 7 15:03:32 cs-fw iptables: succeeded > Dec 7 15:03:32 cs-fw iptables: succeeded > /End of second IPTables restart/ > > Any ideas? > > -- > > Nathaniel Hall, GSEC > Intrusion Detection and Firewall Technician > Ozarks Technical Community College -- Office of Computer Networking > > halln@xxxxxxx > 417-447-7535 I do remotely restart iptables anytime I make changes and have only lost connectivity in two cases: 1) when I made a typo that blocked ssh, but the current session still continued, just new connections were refused. 2) when I needed an update of the initscripts rpm (can't remeber the RH ver, el2.1 maybe). iptables would stat and immediately exit. A temporary fix, till I got the updated package, was to add a second restart of iptables in rc.local, that way if the machine was rebooted, iptables would survive and I could remotely access the system. I just restarted iptables on my fw via ssh and the only log entry was: Dec 7 20:48:52 d207-216-10-152 iptables: succeeded Make sure iptables & initscripts are both up2date. Log into the console and run iptables -L to see if it is allowing anything (before restarting iptables). What are you using for scripts (and/or frontend)? How long does a iptables restart take? it should not be long enough to cause a timeout in a ssh seesion. (have you modified sshd_config?) -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
