IPTables Problem - help wanted

[MustangV10]

Hi,

IPTables is giving an error (FAILED) when restarting. I'm not sure why.

[root@vps /]# service iptables restart
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: nat mangle filte[ OK ]
iptables: Unloading modules: iptable_filter iptable_filter[FAILED]es
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ipt[ OK ]T
[root@vps /]#

Any ideas?

Thanks.

[Akendo]

Can you show me what your trying to load? As well some VPS have limits on they allowed iptables rules. lsmod can show us a bit more.

so far
Akendo

[nubbix]

Have you used sslstrip lately? Can u elaborate a bit on what you did prior to this issue?

[MustangV10]

Not too sure what you guys mean. I don't think I've used 'sslstrip', however, I can't say for sure. I don't know when it started happening, I just tried to restart IPTables the other day and got this.

Here's the result of lsmod if it helps:

[root@vps]# lsmod
Module Size Used by
iptable_mangle 3461 0
iptable_nat 6270 0
nf_nat 23116 1 iptable_nat
ppp_deflate 4446 0
zlib_deflate 21661 1 ppp_deflate
ppp_async 8002 0
ppp_generic 25758 2 ppp_deflate,ppp_async
slhc 5949 1 ppp_generic
crc_ccitt 1693 1 ppp_async
xt_recent 8601 0
fuse 71961 12
tun 19177 2
vzethdev 8217 0
pio_nfs 17439 0
pio_direct 26074 0
sch_cbq 16769 1
pfmt_raw 3152 0
pfmt_ploop1 5939 0
ploop 111284 4 pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
simfs 4512 31
sunrpc 248986 1 pio_nfs
vzdquota 55787 31 [permanent]
ip6t_REJECT 4711 0
ip6table_mangle 3637 0
ip6table_filter 3001 0
ip6_tables 19682 2 ip6table_mangle,ip6table_filter
vzevent 2179 1
bnx2fc 120558 0
fcoe 21068 0
libfcoe 39645 2 bnx2fc,fcoe
libfc 105940 3 bnx2fc,fcoe,libfcoe
scsi_transport_fc 52257 3 bnx2fc,fcoe,libfc
scsi_tgt 12205 1 scsi_transport_fc
8021q 23903 0
garp 7360 1 8021q
vznetdev 18944 60
vzmon 23986 31 vznetdev
vzdev 2733 4 vzethdev,vzdquota,vznetdev,vzmon
xt_owner 2258 0
xt_state 1508 131
xt_length 1338 0
xt_hl 1547 0
xt_tcpmss 1623 0
xt_TCPMSS 3461 0
xt_multiport 2716 0
xt_limit 2230 16
ipt_LOG 6405 12
xt_DSCP 2849 0
xt_dscp 2073 0
ipt_REJECT 2431 0
iptable_filter 2905 9
nf_conntrack_ipv4 9914 134 iptable_nat,nf_nat
nf_conntrack 80469 4 iptable_nat,nf_nat,xt_state,nf_conntrack_ipv4
nf_defrag_ipv4 1531 1 nf_conntrack_ipv4
ip_tables 18119 3 iptable_mangle,iptable_nat,iptable_filter
bridge 83351 0
stp 2189 2 garp,bridge
llc 5658 3 garp,bridge,stp
serio_raw 4866 0
i2c_i801 11247 0
i2c_core 31276 1 i2c_i801
sg 30284 0
iTCO_wdt 13694 0
iTCO_vendor_support 3104 1 iTCO_wdt
ext4 401322 3
mbcache 8160 1 ext4
jbd2 89863 1 ext4
sd_mod 39424 3
crc_t10dif 1557 1 sd_mod
ahci 40471 2
igb 157870 0
dca 7197 1 igb
dm_mirror 14117 0
dm_region_hash 12186 1 dm_mirror
dm_log 10138 2 dm_mirror,dm_region_hash
dm_mod 81788 11 dm_mirror,dm_log
be2iscsi 67658 0
bnx2i 45126 0
cnic 53475 2 bnx2fc,bnx2i
uio 11006 1 cnic
ipv6 326451 1047 ip6t_REJECT,ip6table_mangle,cnic
cxgb4i 28185 0
cxgb4 98781 1 cxgb4i
cxgb3i 24954 0
libcxgbi 52525 2 cxgb4i,cxgb3i
cxgb3 153180 1 cxgb3i
mdio 4748 1 cxgb3
libiscsi_tcp 16582 3 cxgb4i,cxgb3i,libcxgbi
qla4xxx 170387 0
iscsi_boot_sysfs 9666 2 be2iscsi,qla4xxx
libiscsi 47569 7 be2iscsi,bnx2i,cxgb4i,cxgb3i,libcxgbi,libiscsi_t cp,qla4xxx
scsi_transport_iscsi 48058 11 be2iscsi,bnx2i,libcxgbi,qla4xxx,libiscsi
[root@vps]#

A few things have been changed since I posted this. Now get this:

[root@vps]# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: mangle nat filte[ OK ]
iptables: Unloading modules: iptable_filter iptable_filter[FAILED]es
iptables: Applying firewall rules: [ OK ]
[root@vps]#

So it's just the iptable_filter that is failing by the looks of it.

[nubbix]

If you edit /etc/rc.d/init.d/iptables and change:

modprobe -r $mod > /dev/null 2>&1

to

modprobe -r $mod

you will see which module failed to unload. I would guess it is a connection tracking module which was "busy".

You can avoid the "FAILED" messages by putting IPTABLES_MODULES_UNLOAD=no into /etc/sysconfig/iptables-config.

[MustangV10]

If you edit /etc/rc.d/init.d/iptables and change:

modprobe -r $mod > /dev/null 2>&1

to

modprobe -r $mod

you will see which module failed to unload. I would guess it is a connection tracking module which was "busy".

You can avoid the "FAILED" messages by putting IPTABLES_MODULES_UNLOAD=no into /etc/sysconfig/iptables-config.

[root@vps /]# service iptables restart
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: nat mangle filte[ OK ]
iptables: Unloading modules: FATAL: Module iptable_filter is in use.
iptable_filterFATAL: Module iptable_filter is in use.
iptable_filterFATAL: Module ip_tables is in use.
ip_tablesFATAL: Module xt_state is in use.
FATAL: Module nf_conntrack_ipv4 is in use.
FATAL: Module nf_conntrack is in use.
[FAILED]
iptables: Applying firewall rules: [ OK ]
iptables: Loading additional modules: ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ipt[ OK ]T
[root@vps /]#

So I'm guessing I would have to stop all the VPS' with vzctl so they weren't in use to get rid of the errors. However, it's a VPS node so that isn't the answer.

[nubbix]

Guess not

[Akendo]

The Problem you have is: Some open connection depending on the iptables modles. Mean,(this i what i think, not so sure) there is some open connection that is route via iptables. Disabling iptables would mean to interrupt this connection.

I'm sure the kernel is not wanting this. But you could unload the module by hand with modprobe -r.
But be careful about this!

so far
Akendo