Re: What is the best way to turn off the iptables
Le Fri, 6 Jul 2012 15:31:22 +0800,
lina <lina.lastname@gmail.com> a écrit :
> On Fri, Jul 6, 2012 at 4:01 AM, Joe <joe@jretrading.com> wrote:
> > On Thu, 5 Jul 2012 22:28:43 +0800
> > lina <lina.lastname@gmail.com> wrote:
> >
> >> Hi,
> >>
> >> What is the best way to turn off the iptables?
> >>
> >> or come back to its default settings. Flush my current one.
> >>
> >
> > This is the script I use:
> >
> > #!/bin/sh
> > #/etc/iptables/iptables.flush
> > iptables -t filter -F
> > iptables -t filter -X
> > iptables -t nat -F
> > iptables -t nat -X
> > iptables -t mangle -F
> > iptables -t mangle -X
> > iptables -P INPUT ACCEPT
> > iptables -P FORWARD ACCEPT
> > iptables -P OUTPUT ACCEPT
> >
> > Which leaves you wide open, but that is no worse than you were a few
> > days ago.
>
> I follow above advice,
>
> :/etc/iptables# more iptables.flush
> #!/bin/bash
>
> # /etc/iptables/iptables.flush
>
> IPT=/sbin/iptables
>
> $IPT -t filter -F
> $IPT -t filter -X
> $IPT -P INPUT ACCEPT
> $IPT -P FORWARD ACCEPT
> $IPT -P OUTPUT ACCEPT
>
> Now the # iptables -L -vn
> Chain INPUT (policy ACCEPT 9051 packets, 902K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 1234 packets, 133K bytes)
> pkts bytes target prot opt in out source
> destination
>
> I still can't open the localhost ports. Strange?
>
> Thanks,
>
>
> >
> >> Since I tried to configure the iptables, I have encountered the
> >> following problems:
> >>
> >> 1] I can't access the cups and some other ports I opened in
> >> localhost.
> >>
> >
> > I'd go along with the others and suggest you start again, with a
> > skeleton script and add things one at a time. Sprinkle in a fair few
> > logging rules to help get some idea what is going on. I use logging
> > a lot, for troubleshooting connections which don't really need a
> > packet sniffer.
> >
> > Here's an outline of one of my scripts, which really ought to work
> > as I've just lifted it from my firewall-server and removed a lot of
> > the site-specific stuff and the more obscure aggression. You don't
> > need any FORWARD or NAT sections in a workstation script, I've left
> > them in in case someone else is doing a two-NIC firewall.
> >
> > I've defined a number of chains (many more than shown here), as a
> > firewall-server is quite busy, and it helps to see what's happening
> > in a large script. Think of subroutines in a program. There's also a
> > virtual machine living in here, and an OpenVPN termination, as well
> > as a wireless access point in the network, and there really is no
> > choice but to be at least a bit organised. Down with spaghetti
> > firewalling...
> >
> > __________________________________________________________________
> > #!/bin/sh
> > # /etc/iptables/iptables.rules
> >
> > # IP configuration
> >
> > # various shell variable definitions:
> > # LanIF, InetIF, ExtIP etc....
> > # all in one place to make changes easier
> > # I hate doing search-and-replace in a large iptables script,
> > # it's too easy to make mistakes
> >
> > #****************************************************
> >
> > # Set default policies for built-in chains
> >
> > # belt and braces, as the chains do have their own terminators
> > iptables -P INPUT DROP
> > iptables -P FORWARD DROP
> > iptables -P OUTPUT DROP
> >
> > #****************************************************
> >
> > # Remove existing rules and user-defined chains
> >
> > iptables -t filter -F
> > iptables -t filter -X
> > iptables -t nat -F
> > iptables -t nat -X
> > iptables -t mangle -F
> > iptables -t mangle -X
> >
> > #************************************************
> > # User-defined chains
> > #************************************************
> >
> > # Log and dispose of
> >
> > iptables -N newnotsyn
> > iptables -A newnotsyn -j LOG --log-level debug --log-prefix "NEW NOT
> > SYN:"
> > iptables -A newnotsyn -j DROP
> >
> > iptables -N badpacket
> > iptables -A badpacket -j DROP
> >
> > #************************************************
> > # Built-in chains
> > #************************************************
> > # filter table INPUT chain
> >
> > # Assorted unwanted
> > iptables -A INPUT -m state --state INVALID -j badpacket
> > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j newnotsyn
> >
> > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A INPUT -i lo -j ACCEPT
> >
> > # ports and protocols to accept from anywhere...
> > iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
> > --log-prefix "SSH ACCEPTED:"
> > iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> > iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> >
> > # a firewall-server will have a list of additional ports and
> > protocols # accepted from the [hopefully trusted] machines in the
> > LAN here
> >
> > iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT
> > DIED:" iptables -A INPUT -j DROP
> >
> > #******************************
> > # filter table FORWARD chain
> >
> > # Assorted unwanted
> > iptables -A FORWARD -m state --state INVALID -j badpacket
> > iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j newnotsyn
> >
> > # Replies OK
> > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > # Lists of forwarding in and out permitted here,
> > # easiest if in separate chains...
> >
> > iptables -A FORWARD -j LOG --log-level debug --log-prefix "FORWARD
> > DIED:"
> > iptables -A FORWARD -j DROP
> >
> > #******************************
> > # filter table OUTPUT chain
> >
> > # Assorted unwanted
> > iptables -A OUTPUT -m state --state INVALID -j badpacket
> > iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j newnotsyn
> >
> > # ports and protocols to accept here
> > # followed by:
> > #iptables -A OUTPUT -j LOG --log-level debug --log-prefix "OUTPUT
> > DIED:"
> > #iptables -A OUTPUT -j DROP
> >
> > # but I'm currently accepting everything going out,
> > iptables -A OUTPUT -j ACCEPT
> >
> > #******************************
> >
> > # nat table chains
> >
> > # Port/protocol forwarding into LAN
> > #iptables -t nat -A PREROUTING -p tcp -i $InetIF -d $ExtIP --dport
> > 1723 -j DNAT --to-destination $VPNServ:1723
> > #iptables -t nat -A PREROUTING -p 47 -i $InetIF -d $ExtIP -j DNAT
> > --to-destination $VPNServ
> >
> > # squid transparent web proxy
> > iptables -t nat -A PREROUTING -i $LanIF -p tcp --dport 80 -j
> > REDIRECT --to-port 3128
> > # Network NAT
> > iptables -t nat -A POSTROUTING -o $InetIF -j SNAT --to-source $ExtIP
> >
> > #*****************************************************
> >
> > echo "Firewall rules loaded"
> >
> > ______________________________________________________________________
> >
> > It is a bit simplified, but you can add further restrictions (e.g.
> > lo, the private address ranges, icmp etc.) once you have everything
> > working.
>
> Very nice rules. Thanks,
>
> >
> > --
> > Joe
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org Archive:
> > [🔎] 20120705210144.270d513e@jretrading.com">http://lists.debian.org/[🔎] 20120705210144.270d513e@jretrading.com
> >
>
>
Maybe nobody is listening to that ports?
What does
netstat -plunt
returns you?
Reply to: