/etc/init.d/iptables is not flushing the firewall completly. It use iptables -F, but this only affect the filter table, and not the nat nor mangles tables (or any possible additionnal table), neither it destroy empty chain created by user, nor it reset policy. Possible fix according to me: on stop, do a iptables-restore < /var/lib/iptables/rules-empty (or rules-default, or whatever) containing strict minimal empty rules description as for example [cf below]. *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT Or even better a script reading /proc/net/ip_tables_names and erasing, reseting, and so on all the needed rules/chains/policy. As a additionnal note, the script doesn't handles IPv6 tables.
I've just commited iptables 1.2.7a. Please test this version and see if upstream has fixed your problems. It's currently masked, I need to know if this version works as expected before I can unmask.
To be more precise: The problem concern /etc/init.d/iptables stop That is when want you want to stop completly the firewall, and want nothing firewalled (since by default, this is how Linux work for default fw configuration), the /etc/init.d/iptables script doesn't restore a firewall as when you just booted without loading any rules. iptables -F is not a command to do this, since it only clear all the rules of all the chains of the table filter, nothing else. Policy remain as before, other tables like mangle and nat aren't affected. And, any chain created by used are not removed (even if this is not problematic, except for restoring the exact configuration of an unconfigured fw) Excerpt of the man page: -F, --flush [chain] Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one. Only doing this in "iptables stop" isn't sufficient. (I hope my english is understandable)
Sorry, the above comments where sent out to multiple bugs. This bug was included becuse it had iptables in the Summary, but when reading the report more carefully it shouldn't have been included. I have made a new version of the script in init.d (attached). It would be great if you could give it a test and see if it is what you want.
Created attachment 3586 [details] new iptables init script
Not tested, but there is a typo, you forgot the /proc in: for a in `cat /net/ip_tables_names`; do But, you don't delete empty chain. This is not a big problem, except that attempting to recreate a chain with same name will abort on error, this can broke some script. Perhaps with following code in main loop: for chain in `iptables -L -t $a|awk '/^Chain/{print $2}'` do iptables -t $a -P $chain ACCEPT 2> /dev/null iptables -t $a -X $chain 2> /dev/null done if awk is acceptable, or for chain in `iptables -L -t $a|grep '^Chain'|cut -d ' ' -f 2` do iptables -t $a -P $chain ACCEPT 2> /dev/null iptables -t $a -X $chain 2> /dev/null done for grep/cut alternative..
Sorry for the typo, fixed. If I've read the documentation for iptables right the patch below should be enough to delete userdefined chains. --- iptables.init.old Sun Sep 1 18:38:13 2002 +++ iptables.init Mon Sep 2 08:57:56 2002 @@ -28,8 +28,9 @@ # This way we don't forget to save changes /sbin/iptables-save > ${IPTABLES_SAVE} - for a in `cat /net/ip_tables_names`; do + for a in `cat /proc/net/ip_tables_names`; do iptables -F -t $a + iptables -X -t $a if [ $a == nat ]; then iptables -t nat -P PREROUTING ACCEPT
Perfect ! Tested and worked exactly as expected. Thanks.