Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 75723 - Resetting built-in chains to the default ACCEPT policy do not include all the chains from 'mangle' table
Summary: Resetting built-in chains to the default ACCEPT policy do not include all the...
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables
Version: 7.3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: wdovlrrw
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2002-10-11 15:31 UTC by Konrad Zak
Modified: 2007-04-18 16:47 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2003-01-13 21:48:57 UTC

Attachments (Terms of Use)
fixed iptables starting script (deleted)
2002-10-11 15:44 UTC, Konrad Zak
no flags Details

Description Konrad Zak 2002-10-11 15:31:05 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl-PL; rv:1.1) Gecko/20020826

Description of problem:
Resetting built-in chains to the default ACCEPT policy with 'service iptables
stop' causes 3 of 5 chains from 'mangle' table to stay in previous set default
policy, like i.e. DROP.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.iptables -t mangle -P INPUT DROP
2.iptables -t mangle -P FORWARD DROP
3.iptables -t mangle -P POSTROUTING DROP
4.service iptables stop
5.iptables -t mangle -L

Actual Results:  3 of 5 built-in chains in 'mangle' table do not get back to
default ACCEPT policy when stopping iptables service. 

Expected Results:  'mangle' table built-in chains default policy should be set
to ACCEPT in /etc/init.d/iptables. I modified /etc/init.d/iptables script to
resolve problem. I put link to fixed script in url field of bug form.

Additional info:

the same applies to ip6tables (iptables-ipv6 rpm package).
under file name ip6tables instead of iptables in url I provided you'll find
fixed /etc/init.d/ip6tables script.

Comment 1 Konrad Zak 2002-10-11 15:44:20 UTC
Created attachment 80004 [details]
fixed iptables starting script

Comment 2 Michael Schwendt 2002-10-20 17:02:47 UTC
Red Hat Linux 8.0 is affected, too.

--- iptables.orig       Wed Aug  7 16:34:38 2002
+++ iptables    Sun Oct 20 18:59:52 2002
@@ -117,7 +117,10 @@
           iftable nat -P POSTROUTING ACCEPT && \
           iftable nat -P OUTPUT ACCEPT && \
            iftable mangle -P PREROUTING ACCEPT && \
+           iftable mangle -P POSTROUTING ACCEPT && \
+           iftable mangle -P INPUT ACCEPT && \
            iftable mangle -P OUTPUT ACCEPT && \
+           iftable mangle -P FORWARD ACCEPT && \
           success || \

Comment 3 Michael Schwendt 2002-12-24 21:02:57 UTC
While updating my iptables packages for Psyche and Valhalla, I added patched
iptables initscripts to bug #76367.

Comment 4 Bill Nottingham 2003-01-13 21:48:57 UTC
fixed in iptables-1.2.7a-1.

Note You need to log in before you can comment on or make changes to this bug.