Re: What is the best way to turn off the iptables
On Thu, Jul 5, 2012 at 10:50 PM, Darac Marjal <mailinglist@darac.org.uk> wrote:
> On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote:
>> Hi,
>>
>> What is the best way to turn off the iptables?
>
> # iptables --flush
I tried before.
# iptables -F
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Seems It dropped all. I even can't connect to the internet.
Where can I change the default?
>
> will clear out all your iptables rules.
>
>>
>> or come back to its default settings. Flush my current one.
>>
>> Since I tried to configure the iptables, I have encountered the
>> following problems:
>>
> [cut]
>>
>> 2] The shutdown process in decades long. I mean it used to be fast to
>> shutdown, now need wait ~3 mins
>>
>> BTW, how to check the time of booting and shutting down?
>
> I'm not sure about shutting down, but try the bootchart2 package.
> That'll profile your booting and tell you all you need to know.
>
>>
>> 3] My syslog is flooding with similar information (kernel: [
>> 436.954509] --log-prefixIN=eth0 OUT=
>> MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212
>> DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP
>> SPT=137 DPT=137 LEN=58 ).
>
> Ah, glad to see it's not just me seeing "--log-prefix" in the logs. This
> is bug #678499, I believe.
>
>>
>> google showed me it's possible to put the log not in syslog.
>>
>> 4] Are there someone willing to sharing some iptables template, a bit
>> mature one with explaination.
>>
>> Thanks with best regards,
>>
>> P.S. The current one I used ( mainly adopted from
>> http://wiki.debian.org/iptables ), Here it is:
> [cut]
>
> Ah, looking at your firewall, I might see what your problem is with
> CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or
> at some other address. If you're using 127.0.0.1, then you still want
> line 5 enabled; the traffic should be using the loopback device or
> otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then
> you need to allow access to port 631 in the same way that you have
> allowed access to ports 80, 443 and 22.
# more iptables.up.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix --log-prefix
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
Still not work for CUPS or some other ports I opened.
I found those information I googled most are quite old.
>
> Enjoy
>
Thanks,
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIcBAEBCgAGBQJP9am3AAoJEKB7YbRsd8TGiEUQAKSVOdm2BiavXlGTMz0xait9
> g/WFxkEU1/cRORGusyN30LaShWY3WJqNoTSvpCzHA3w1UO9xwnYVFQ8RhRt3dF5K
> OLFrRkuAel9BKd8Xr4Uz0J4sOuBpOBne6PcLDCxVnT1xgEdktuuLhlvF1IGfw+Kq
> ECLeKffGnItRp9hgp6UkUKM8rqURfrWsUzG5LXsLT6c+4/I6ZruhINEo7NSx3TtY
> ANAFZ2Q0auUKEhXmcqZq+ay7u+d/Qb8DMzlmr752h5iCx5TaTSsyZFgjQJWWHqFp
> hJxNbxbkz5MlPgyZuM9U7Acj9dSDZt1AFAxxtMObjbbLXNkbkRhbJDojZeYHZPFf
> psq+YmC805tlD1+WmvOVXXQSrcJht7JWPoQQ2k7gaj2Jl8LMb8nL3gyg0nRz+lzR
> dUvbH/i1Sh25gL5RD4JefcLd3wfJB/+M0+QOdeGx7VDyDRy8JUjFAq+Bmg0ZVb9j
> RU8AiUKxCRciy2WZ0RrXx7M7yXqaktLnl9lSYx55bwx4UDslBPvP5jVe8zFRlhy3
> yuxQoroXZkMyvPPxGmVyQrGJNHckDUulu4PpicWzUvSiF29DuBfnXBF+M+0HEERw
> PSeAre4Jvml1syPUPaBdwaReD6JnQj8E44d/EF1WlIItq36xxOUG2b9cVSTZAU+v
> H3tarqTQH8EPJNVoyZPm
> =4rOs
> -----END PGP SIGNATURE-----
>
Reply to: