Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Iptables service stop/start problem in UEK release 5

Mitja GolouhApr 22 2020 — edited Apr 24 2020

I know Linux 7 ships with firewalld as default firewall service but for various reasons we are still using the iptables service.

Did anybody notice any problems with iptables service on OEL7 with UEK Release 5 kernel when doing stop/start of iptables service?

When doing a simple stop/start iptables after iptables is already up and running:

$ systemctl stop iptables

$ systemctl start iptables

my ssh session gets immediatly disconnected.

Other sessions eg. sqlnet traffic protected by iptables are also affected and this is what worries me! Disconnecting hundreds of sqlnet connections to the database. Ouch.

I know that doing stop/start of iptables is not something you do every five minutes on a production machine. But on some occasions you have to do it. And causing a havoc to all existing connections is not a feature I expected after upgrading to UEK5.

Problem can be reproduced easily with an oracle prepared vagrant box image (https://github.com/oracle/vagrant-boxes/tree/master/OracleLinux/7).

$ uname -a

Linux ol7-vagrant 4.14.35-1902.301.1.el7uek.x86_64 #2 SMP Tue Mar 31 16:50:32 PDT 2020 x86_64 x86_64 x86_64 GNU/Linux

Just stop & disable the default firewalld service that comes preinstalled in the image (doing the following steps as root user):

$ systemctl stop firewalld

$ systemctl disable firewalld

Install iptables service:

$ yum install iptables-services

Iptables service already comes with default set of minimalistic iptables rules for ssh port 22 in /etc/sysconfig/iptables which demonstrates the problem.

$ cat /etc/sysconfig/iptables

# sample configuration for iptables service

# you can edit this manually or use system-config-firewall

# please do not ask us to add additional ports/services to this default configuration

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

Enable and start iptables service.

$ systemctl enable iptables

$ systemctl start iptables

Open a fresh ssh session (this seems to be an important step) !

$ systemctl stop iptables

$ systemctl start iptables

<----- connection freezes and after some time you get a disconnect message.

What is interesting is that the same scenario using OEL8 image with UEK Release 6 works as expected without getting disconnected (https://github.com/oracle/vagrant-boxes/tree/master/OracleLinux/8).

OEL7 with UEK Release 4 kernel is also not affected by this problem so you can safely stop/start iptables without causing any disconnects.

Does anybody have an idea how to avoid this disconnects on UEK5?

Regards,

Mitja

Added on Apr 22 2020

#linux, #oracle-linux

10 comments

2,076 views