# iptables - long pause during booting (modules.conf problem)

## Ian Goldby

During the boot process, my machine hangs for about 2-3 minutes after printing

```
 * Loading iptables state and starting firewall...

 * Restoring iptables ruleset
```

Once the system has finally started, I find that iptables is working fine. My configuration is as follows:

```
iptables -N block

iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT

iptables -A block -p icmp --icmp-type ! redirect -j ACCEPT

iptables -A block -j REJECT

iptables -A INPUT -j block

iptables -A FORWARD -j block
```

 I can't remember where I got this from - it just stealths all ports and accepts ICMP echo requests.

I'm running iptables v1.2.8 (v1.2.9 won't compile for me). This problem just started when I upgraded from the 2.4 kernel to 2.6.0-test11-gentoo.

Any ideas what might be wrong?Last edited by Ian Goldby on Wed Dec 10, 2003 1:05 am; edited 1 time in total

----------

## Ian Goldby

Bump

----------

## asiobob

perhaps its because its 1.2.8?

I installed gentoo fresh and put on the  2.6 kernel test 11 and 1.2.8 doesn't compile but the masked 1.2.9 does....

----------

## Ian Goldby

Wierd. Which patchset for the kernel are you using? I'm using linux-2.6.0-test11-gentoo, which I am aware does not yet contain the patch needed for iptables 1.2.9. This thread has more about this.

Do you think applying the patch and emerge-ing 1.2.9 would be worthwhile, or shall I wait for the mm-sources for test11?

----------

## asiobob

wierd, I'm using 2.6.0test11 no patch set.

emerging 1.2.9 worked the non masked version did not.

I haven't actually tried starting it at boot yet or using it.

edit: the URL you gave me appears to related to a problem emerging 1.2.9 on the 2.4xx kernel.

Several people have emerged 1.2.8 on the stock 2.6.0test11 kernel.

I'm new to 2.6 as well, guess it has to mature more

----------

## Ian Goldby

 *ASIO_BOB wrote:*   

> wedit: the URL you gave me appears to related to a problem emerging 1.2.9 on the 2.4xx kernel.

  Well spotted. Thanks for that.

Just tried ACCEPT_KEYWORDS="~x86" emerge iptables again after another emerge sync, and still the same error.

Just had a thought. My /usr/src/linux symlink still points to the 2.4 kernel sources. I've just changed it to point to the 2.6 sources and I'm doing ACCEPT_KEYWORDS="~x86" emerge iptables again.

This time it is progressing differently. Yup, it finished successfully. Next time I boot, I'll let you know if it solved the long wait problem.

----------

## Ian Goldby

Well, I got iptables v1.2.9 installed, but the problem persists.

What's particularly strange is that once the system is finally up, I can stop and restart iptables all I want, and it happens instantly. Unfortunately, that also means that the only way I can test if a change to the configuration makes any difference is to reboot.

Any other ideas?

----------

## Praxxus

Could it be a name resolution error?  If you're referring to a host in your iptables init script before name resolution is available (networking is down, dns ports blocked, etc.), it could cause the system to "hang" while the name resolution attempt times out.

If you are referring to things by name in the iptables script, either replace them with IP addresses or make sure they're listed in /etc/hosts.

----------

## Ian Goldby

I've got slightly further with this. It's not name resolution - I think it is a problem loading a module.

When I stopped iptables, then unloaded all of the associated kernel modules, and then tried to start iptables again, the cpu usage shot up to 100%. After about 3-4 minutes of that (during which the mouse and keyboard were completely unresponsive), the X display started to blank parts of various windows. About 10 minutes later, X died completely and I was returned to the KDM login screen.

I'm going to download the latest gentoo-dev-sources and rebuild my kernel and all modules with the linux symlink pointing to that rather than the 2.4 kernel to see if that makes any difference. I'll probably nuke everything in /lib/modules too.

----------

## Ian Goldby

Well, I haven't done the above yet, because I locked my machine up solid trying to do a rmmod ip_conntrack_ftp.

I removed autoloading of ip_conntrack_ftp (I had a line in /etc/modules.d/iptables that said "add above ip_conntrack ip_conntrack_ftp") and that cleared up the pause during booting. Unfortunately, it also means I cannot now use ftp through the firewall.

Ok, so I'll redefine the question:

When iptables starts up, it automatically loads most of the modules it needs. But it doesn't load ip_conntrack_ftp. I put a line in /etc/modules.d/iptables 

```
add above ip_conntrack ip_conntrack_ftp
```

 which with kernel 2.4.x made sure that when iptables loaded ip_conntrack, ip_conntrack_ftp was also loaded to enable connection tracking of FTP sessions.

With kernel 2.6.0-test11, this doesn't work any more, and locks up the module loading process.

I know I could just add ip_conntrack_ftp to my /etc/modules.autoload file, but that rather defeats the point of having it compiled as a module. It should load only when demanded by the firewall. (By the way, modprobe ip_conntrack_ftp from the command line works fine.)

So: How else can I ensure that ip_conntrack_ftp loads whenever ip_conntrack loads?

----------

## Ian Goldby

My final post on this tonight:

Although 

```
add above ip_conntrack ip_conntrack_ftp
```

 in /etc/modules.conf doesn't work, the following does work: 

```
post-install ip_tables modprobe ip_conntrack_ftp
```

I don't understand why the former stopped working with kernel 2.6.0.

I've got a solution to my problem, but I wonder if the above indicates a bug in the software? Who knows modules.conf better?

----------

