0

Was connecting through ssh to a Fedora 23 server and decided to restart iptables after adding a new rule: systemctl restart iptables. However the iptables never restarted, or was very slow to restart (I waited 3+ hours) and it resulted in blocking all connections, forcing me to go to data center to restart the system. After rebooting everything seemed okay, so I tried running systemctl restart iptables again. Same thing happened. All connections blocked and iptables -L takes forever to list all the rules. Why does the restarting iptables cause this? What is a safer way to restart iptables on Fedora?

Heres the output of iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       tcp  --  anywhere             pages33.mit.io      tcp dpt:ssh state NEW recent: UPDATE seconds: 120 hit_count: 6 name: sshold2 side: source mask: 255.255.255.255
           tcp  --  anywhere             pages33.mit.io      tcp dpt:ssh state NEW recent: SET name: sshold2 side: source mask: 255.255.255.255
DROP       tcp  --  anywhere             order.mit.io  tcp dpt:ssh state NEW recent: UPDATE seconds: 120 hit_count: 6 name: sshold side: source mask: 255.255.255.255
           tcp  --  anywhere             order.mit.io  tcp dpt:ssh state NEW recent: SET name: sshold side: source mask: 255.255.255.255
DROP       all  --  loopback/8           anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  -f  192.168.1.0/24       anywhere            
ACCEPT     all  -f  10.0.1.0/24          anywhere            
ACCEPT     all  -f  10.0.1.0/24          anywhere            
ACCEPT     all  -f  10.0.1.0/24          anywhere            
ACCEPT     all  -f  10.0.1.0/24          anywhere            
ACCEPT     all  -f  10.0.1.0/24          anywhere            
swatch_rejects  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             order.mit.io  tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 50000:60000
ACCEPT     tcp  --  anywhere             clic.brg.mit.io  tcp dpt:http
ACCEPT     tcp  --  anywhere             clic.brg.mit.io  tcp dpt:https
ACCEPT     tcp  --  123.123.123.0/21      lol.al.mit.io  tcp dpt:http
ACCEPT     tcp  --  123.123.123.0/21      lol.al.mit.io  tcp dpt:https
ACCEPT     tcp  --  anywhere             lol.al.mit.io  source IP range xxxxx tcp dpt:http
ACCEPT     tcp  --  anywhere             lol.al.mit.io  source IP range xxxxx tcp dpt:https
ACCEPT     tcp  --  anywhere             lol.al.mit.io  source IP range xxxxx tcp dpt:http
ACCEPT     tcp  --  anywhere             lol.al.mit.io  source IP range xxxxx tcp dpt:https
ACCEPT     tcp  --  anywhere             lol.al.mit.io  source IP range xxxxx tcp dpt:http
ACCEPT     tcp  --  anywhere             lol.al.mit.io  source IP range xxxxx tcp dpt:https
DROP       tcp  --  anywhere             lol.al.mit.io  tcp dpt:http
DROP       tcp  --  anywhere             lol.al.mit.io  tcp dpt:https
ACCEPT     tcp  --  anywhere             order.mit.io  tcp dpt:ssh
ACCEPT     tcp  --  anywhere             pages33.mit.io      tcp dpt:ssh
ACCEPT     tcp  --  anywhere             order.mit.io  tcp dpt:http
ACCEPT     tcp  --  anywhere             order.mit.io  tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ircu
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ircu-2
ACCEPT     udp  --  anywhere             pages.mit.io  udp dpt:bootps
ACCEPT     udp  --  anywhere             pages.mit.io  udp dpt:bootpc
ACCEPT     tcp  --  anywhere             pages.mit.io  tcp dpt:bootps
ACCEPT     tcp  --  anywhere             pages.mit.io  tcp dpt:bootpc
ACCEPT    !icmp --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
DROP       all  --  anywhere             anywhere             ctstate NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain swatch_rejects (1 references)
target     prot opt source               destination
Larry Page
  • 9
  • 2
  • I belive there is conflict with `firewalld`. – Jakuje Apr 13 '16 at 15:33
  • Doesn't fedora use firewalld now ? – user9517 Apr 13 '16 at 15:34
  • Tried "systemctl status firewalld", got " ● firewalld.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) – Larry Page Apr 13 '16 at 15:46
  • So it looks like the server we use relies on iptables. We should switch to firewalld, but still I am wondering why restarting the iptables would block everything. – Larry Page Apr 13 '16 at 15:47
  • 2
    Maybe you have broken rule and the policy is set to DROP. Can you post your firewall rules? – Mugurel Apr 13 '16 at 16:01
  • I added the firewall rules. For privacy reasons IP addresses/domains were changed. – Larry Page Apr 13 '16 at 16:18
  • The comando `iptables -L` may take time to show rules because it makes reverse DNS query for every IP address found in chains. This is the reason I prefer `iptables -nvL`. – Anderson Medeiros Gomes Apr 14 '16 at 00:30
  • Could you post here or in http://pastebin.ca/ the contents of `/etc/sysconfig/iptables` and `/etc/sysconfig/iptables-config` files? I'm wondering if there is something that causes a DNS query during iptables startup. – Anderson Medeiros Gomes Apr 14 '16 at 00:33

0 Answers0