[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What is the best way to turn off the iptables



On Fri, Jul 6, 2012 at 4:01 AM, Joe <joe@jretrading.com> wrote:
> On Thu, 5 Jul 2012 22:28:43 +0800
> lina <lina.lastname@gmail.com> wrote:
>
>> Hi,
>>
>> What is the best way to turn off the iptables?
>>
>> or come back to its default settings. Flush my current one.
>>
>
> This is the script I use:
>
> #!/bin/sh
> #/etc/iptables/iptables.flush
> iptables -t filter -F
> iptables -t filter -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> Which leaves you wide open, but that is no worse than you were a few
> days ago.

I follow above advice,

:/etc/iptables# more iptables.flush
#!/bin/bash

# /etc/iptables/iptables.flush

IPT=/sbin/iptables

$IPT -t filter -F
$IPT -t filter -X
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

Now the # iptables -L -vn
Chain INPUT (policy ACCEPT 9051 packets, 902K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 1234 packets, 133K bytes)
 pkts bytes target     prot opt in     out     source
destination

I still can't open the localhost ports. Strange?

Thanks,


>
>> Since I tried to configure the iptables, I have encountered the
>> following problems:
>>
>> 1] I can't access the cups and some other ports I opened in localhost.
>>
>
> I'd go along with the others and suggest you start again, with a
> skeleton script and add things one at a time. Sprinkle in a fair few
> logging rules to help get some idea what is going on. I use logging a
> lot, for troubleshooting connections which don't really need a packet
> sniffer.
>
> Here's an outline of one of my scripts, which really ought to work as
> I've just lifted it from my firewall-server and removed a lot of the
> site-specific stuff and the more obscure aggression. You don't need any
> FORWARD or NAT sections in a workstation script, I've left them in in
> case someone else is doing a two-NIC firewall.
>
> I've defined a number of chains (many more than shown here), as a
> firewall-server is quite busy, and it helps to see what's happening in
> a large script. Think of subroutines in a program. There's also a
> virtual machine living in here, and an OpenVPN termination, as well as
> a wireless access point in the network, and there really is no choice
> but to be at least a bit organised. Down with spaghetti firewalling...
>
> __________________________________________________________________
> #!/bin/sh
> # /etc/iptables/iptables.rules
>
> # IP configuration
>
> # various shell variable definitions:
> # LanIF, InetIF, ExtIP etc....
> # all in one place to make changes easier
> # I hate doing search-and-replace in a large iptables script,
> # it's too easy to make mistakes
>
> #****************************************************
>
> # Set default policies for built-in chains
>
> # belt and braces, as the chains do have their own terminators
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> #****************************************************
>
> # Remove existing rules and user-defined chains
>
> iptables -t filter -F
> iptables -t filter -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
>
> #************************************************
> # User-defined chains
> #************************************************
>
> # Log and dispose of
>
> iptables -N newnotsyn
> iptables -A newnotsyn -j LOG --log-level debug --log-prefix "NEW NOT
> SYN:"
> iptables -A newnotsyn -j DROP
>
> iptables -N badpacket
> iptables -A badpacket -j DROP
>
> #************************************************
> # Built-in chains
> #************************************************
> # filter table INPUT chain
>
> # Assorted unwanted
> iptables -A INPUT -m state --state INVALID -j badpacket
> iptables -A INPUT -p tcp ! --syn -m state --state NEW -j newnotsyn
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
>
> # ports and protocols to accept from anywhere...
> iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
> --log-prefix "SSH ACCEPTED:"
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
>
> # a firewall-server will have a list of additional ports and protocols
> # accepted from the [hopefully trusted] machines in the LAN here
>
> iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT DIED:"
> iptables -A INPUT -j DROP
>
> #******************************
> # filter table FORWARD chain
>
> # Assorted unwanted
> iptables -A FORWARD -m state --state INVALID -j badpacket
> iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j newnotsyn
>
> # Replies OK
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Lists of forwarding in and out permitted here,
> # easiest if in separate chains...
>
> iptables -A FORWARD -j LOG --log-level debug --log-prefix "FORWARD
> DIED:"
> iptables -A FORWARD -j DROP
>
> #******************************
> # filter table OUTPUT chain
>
> # Assorted unwanted
> iptables -A OUTPUT -m state --state INVALID -j badpacket
> iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j newnotsyn
>
> # ports and protocols to accept here
> # followed by:
> #iptables -A OUTPUT -j LOG --log-level debug --log-prefix "OUTPUT
> DIED:"
> #iptables -A OUTPUT -j DROP
>
> # but I'm currently accepting everything going out,
> iptables -A OUTPUT -j ACCEPT
>
> #******************************
>
> # nat table chains
>
> # Port/protocol forwarding into LAN
> #iptables -t nat -A PREROUTING -p tcp -i $InetIF -d $ExtIP --dport 1723
> -j DNAT --to-destination $VPNServ:1723
> #iptables -t nat -A PREROUTING -p 47 -i $InetIF -d $ExtIP -j DNAT
> --to-destination $VPNServ
>
> # squid transparent web proxy
> iptables -t nat -A PREROUTING -i $LanIF -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> # Network NAT
> iptables -t nat -A POSTROUTING -o $InetIF -j SNAT --to-source $ExtIP
>
> #*****************************************************
>
> echo "Firewall rules loaded"
>
> ______________________________________________________________________
>
> It is a bit simplified, but you can add further restrictions (e.g. lo,
> the private address ranges, icmp etc.) once you have everything working.

Very nice rules. Thanks,

>
> --
> Joe
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: 20120705210144.270d513e@jretrading.com">http://lists.debian.org/20120705210144.270d513e@jretrading.com
>


Reply to: