Re: What is the best way to turn off the iptables
On Thu, 5 Jul 2012 22:28:43 +0800
lina <lina.lastname@gmail.com> wrote:
> Hi,
>
> What is the best way to turn off the iptables?
>
> or come back to its default settings. Flush my current one.
>
This is the script I use:
#!/bin/sh
#/etc/iptables/iptables.flush
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
Which leaves you wide open, but that is no worse than you were a few
days ago.
> Since I tried to configure the iptables, I have encountered the
> following problems:
>
> 1] I can't access the cups and some other ports I opened in localhost.
>
I'd go along with the others and suggest you start again, with a
skeleton script and add things one at a time. Sprinkle in a fair few
logging rules to help get some idea what is going on. I use logging a
lot, for troubleshooting connections which don't really need a packet
sniffer.
Here's an outline of one of my scripts, which really ought to work as
I've just lifted it from my firewall-server and removed a lot of the
site-specific stuff and the more obscure aggression. You don't need any
FORWARD or NAT sections in a workstation script, I've left them in in
case someone else is doing a two-NIC firewall.
I've defined a number of chains (many more than shown here), as a
firewall-server is quite busy, and it helps to see what's happening in
a large script. Think of subroutines in a program. There's also a
virtual machine living in here, and an OpenVPN termination, as well as
a wireless access point in the network, and there really is no choice
but to be at least a bit organised. Down with spaghetti firewalling...
__________________________________________________________________
#!/bin/sh
# /etc/iptables/iptables.rules
# IP configuration
# various shell variable definitions:
# LanIF, InetIF, ExtIP etc....
# all in one place to make changes easier
# I hate doing search-and-replace in a large iptables script,
# it's too easy to make mistakes
#****************************************************
# Set default policies for built-in chains
# belt and braces, as the chains do have their own terminators
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#****************************************************
# Remove existing rules and user-defined chains
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#************************************************
# User-defined chains
#************************************************
# Log and dispose of
iptables -N newnotsyn
iptables -A newnotsyn -j LOG --log-level debug --log-prefix "NEW NOT
SYN:"
iptables -A newnotsyn -j DROP
iptables -N badpacket
iptables -A badpacket -j DROP
#************************************************
# Built-in chains
#************************************************
# filter table INPUT chain
# Assorted unwanted
iptables -A INPUT -m state --state INVALID -j badpacket
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j newnotsyn
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# ports and protocols to accept from anywhere...
iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
--log-prefix "SSH ACCEPTED:"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# a firewall-server will have a list of additional ports and protocols
# accepted from the [hopefully trusted] machines in the LAN here
iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT DIED:"
iptables -A INPUT -j DROP
#******************************
# filter table FORWARD chain
# Assorted unwanted
iptables -A FORWARD -m state --state INVALID -j badpacket
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j newnotsyn
# Replies OK
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Lists of forwarding in and out permitted here,
# easiest if in separate chains...
iptables -A FORWARD -j LOG --log-level debug --log-prefix "FORWARD
DIED:"
iptables -A FORWARD -j DROP
#******************************
# filter table OUTPUT chain
# Assorted unwanted
iptables -A OUTPUT -m state --state INVALID -j badpacket
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j newnotsyn
# ports and protocols to accept here
# followed by:
#iptables -A OUTPUT -j LOG --log-level debug --log-prefix "OUTPUT
DIED:"
#iptables -A OUTPUT -j DROP
# but I'm currently accepting everything going out,
iptables -A OUTPUT -j ACCEPT
#******************************
# nat table chains
# Port/protocol forwarding into LAN
#iptables -t nat -A PREROUTING -p tcp -i $InetIF -d $ExtIP --dport 1723
-j DNAT --to-destination $VPNServ:1723
#iptables -t nat -A PREROUTING -p 47 -i $InetIF -d $ExtIP -j DNAT
--to-destination $VPNServ
# squid transparent web proxy
iptables -t nat -A PREROUTING -i $LanIF -p tcp --dport 80 -j REDIRECT
--to-port 3128
# Network NAT
iptables -t nat -A POSTROUTING -o $InetIF -j SNAT --to-source $ExtIP
#*****************************************************
echo "Firewall rules loaded"
______________________________________________________________________
It is a bit simplified, but you can add further restrictions (e.g. lo,
the private address ranges, icmp etc.) once you have everything working.
--
Joe
Reply to: