iptables-restore hang during system boot

Discussion in 'Linux Networking' started by Stanislaw Findeisen, May 17, 2005.

  1. -------- SUMMARY --------

    OS:
    * Fedora Core 3 (kernel 2.6)

    Files involved:
    * /etc/sysconfig/iptables
    * /sbin/iptables-restore

    Issues:
    * iptables setup during system boot hangs
    * nat table

    -------- THE STORY --------

    I have recompiled the kernel disabling IP routing. Now iptables lacks
    the nat table. iptables-save's output lists no nat table:

    # Generated by iptables-save v1.2.11 on Tue May 17 09:17:49 2005
    *mangle
    :pREROUTING ACCEPT [13:11993]
    :INPUT ACCEPT [13:11993]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [61:382696]
    :pOSTROUTING ACCEPT [6:11120]
    [...rules...]
    COMMIT
    # Completed on Tue May 17 09:17:49 2005
    # Generated by iptables-save v1.2.11 on Tue May 17 09:17:49 2005
    *filter
    :INPUT DROP [6:468]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [55:371576]
    [...rules...]
    COMMIT
    # Completed on Tue May 17 09:17:49 2005

    This is fine.

    -------- THE PROBLEM --------

    But now the system hangs during boot on "Starting firewall...". This is
    when the script /etc/init.d/iptables executes iptables-restore trying to
    read firewall rules from /etc/sysconfig/iptables (where iptables-save's
    output is stored). It recovers, in fact, but after 20 minutes or so. I
    didn't watch that long and don't know what happens. Then the firewall
    seems to be properly configured.

    -------- DIAGNOSTICS AND ATTEMPTS TO SOLVE --------

    I used the --verbose option to iptables-restore during system boot:

    # Generated by iptables-save v1.2.11 on Tue May 17 09:17:49 2005
    Flushing chain `PREROUTING'
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    Flushing chain `POSTROUTING'
    # Completed on Tue May 17 09:17:49 2005
    # Generated by iptables-save v1.2.11 on Tue May 17 09:17:49 2005
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    [Hang here, expected this line:]
    # Completed on Tue May 17 09:17:49 2005

    After system is booted the same script (/etc/init.d/iptables start)
    seems to work fine.

    -------- HELP NEEDED --------

    Any ideas on what's going on in iptables-restore then? I guess I must be
    having something misconfigured, but what?

    Thanks!
     
    Stanislaw Findeisen, May 17, 2005
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.