Ubuntu
iptables package

iptables package doesn't flush table on removal of package

Bug #1816811 reported by Christopher Warner
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iptables (Ubuntu)
New
Undecided
Unassigned

Bug Description

The iptables package isn't flushing all tables on removal of the package and the tables still exist until reboot. Intended behavior should be to flush all tables via a dpkg pre-removal script. I'm not sure of any use case where the intended behavior would be to keep the current rules in place but not have iptables available.

root@ip-10-224-187-201:/home/cwarner# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- 127.0.0.0/8 anywhere
ACCEPT tcp -- anywhere anywhere state ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT udp -- anywhere anywhere udp dpt:bootpc state NEW
ACCEPT udp -- anywhere anywhere udp dpt:ntp state NEW
ACCEPT udp -- anywhere anywhere udp dpt:323 state NEW

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED

root@ip-10-224-187-201:/home/cwarner# apt remove iptables
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  iptables
0 upgraded, 0 newly installed, 1 to remove and 2 not upgraded.
After this operation, 1,663 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 91459 files and directories currently installed.)
Removing iptables (1.6.0-2ubuntu3) ...
Processing triggers for libc-bin (2.23-0ubuntu10) ...
Processing triggers for man-db (2.7.5-1) ...

*Rules are still in place*

root@ip-10-224-187-201:/home/cwarner# apt install iptables
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  iptables
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 266 kB of archives.
After this operation, 1,663 kB of additional disk space will be used.
Get:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial/main amd64 iptables amd64 1.6.0-2ubuntu3 [266 kB]
Fetched 266 kB in 0s (7,629 kB/s)
Selecting previously unselected package iptables.
(Reading database ... 91286 files and directories currently installed.)
Preparing to unpack .../iptables_1.6.0-2ubuntu3_amd64.deb ...
Unpacking iptables (1.6.0-2ubuntu3) ...
Processing triggers for libc-bin (2.23-0ubuntu10) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up iptables (1.6.0-2ubuntu3) ...
Processing triggers for libc-bin (2.23-0ubuntu10) ...

root@ip-10-224-187-201:/home/cwarner# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- 127.0.0.0/8 anywhere
ACCEPT tcp -- anywhere anywhere state ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT udp -- anywhere anywhere udp dpt:bootpc state NEW
ACCEPT udp -- anywhere anywhere udp dpt:ntp state NEW
ACCEPT udp -- anywhere anywhere udp dpt:323 state NEW

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere state NEW,ESTABLISHED

Same rules, still in place.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.