07/05/12 19:02, lina пишет:
On Thu, Jul 5, 2012 at 10:50 PM, Darac Marjal <mailinglist@darac.org.uk> wrote:On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote:Hi, What is the best way to turn off the iptables?# iptables --flushI tried before. # iptables -F # iptables -L Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Seems It dropped all. I even can't connect to the internet. Where can I change the default?
iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT
will clear out all your iptables rules.or come back to its default settings. Flush my current one. Since I tried to configure the iptables, I have encountered the following problems:[cut]2] The shutdown process in decades long. I mean it used to be fast to shutdown, now need wait ~3 mins BTW, how to check the time of booting and shutting down?I'm not sure about shutting down, but try the bootchart2 package. That'll profile your booting and tell you all you need to know.3] My syslog is flooding with similar information (kernel: [ 436.954509] --log-prefixIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212 DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP SPT=137 DPT=137 LEN=58 ).Ah, glad to see it's not just me seeing "--log-prefix" in the logs. This is bug #678499, I believe.google showed me it's possible to put the log not in syslog. 4] Are there someone willing to sharing some iptables template, a bit mature one with explaination. Thanks with best regards, P.S. The current one I used ( mainly adopted from http://wiki.debian.org/iptables ), Here it is:[cut] Ah, looking at your firewall, I might see what your problem is with CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or at some other address. If you're using 127.0.0.1, then you still want line 5 enabled; the traffic should be using the loopback device or otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then you need to allow access to port 631 in the same way that you have allowed access to ports 80, 443 and 22.# more iptables.up.rules *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix --log-prefix -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j ACCEPT COMMIT Still not work for CUPS or some other ports I opened. I found those information I googled most are quite old.EnjoyThanks,-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCgAGBQJP9am3AAoJEKB7YbRsd8TGiEUQAKSVOdm2BiavXlGTMz0xait9 g/WFxkEU1/cRORGusyN30LaShWY3WJqNoTSvpCzHA3w1UO9xwnYVFQ8RhRt3dF5K OLFrRkuAel9BKd8Xr4Uz0J4sOuBpOBne6PcLDCxVnT1xgEdktuuLhlvF1IGfw+Kq ECLeKffGnItRp9hgp6UkUKM8rqURfrWsUzG5LXsLT6c+4/I6ZruhINEo7NSx3TtY ANAFZ2Q0auUKEhXmcqZq+ay7u+d/Qb8DMzlmr752h5iCx5TaTSsyZFgjQJWWHqFp hJxNbxbkz5MlPgyZuM9U7Acj9dSDZt1AFAxxtMObjbbLXNkbkRhbJDojZeYHZPFf psq+YmC805tlD1+WmvOVXXQSrcJht7JWPoQQ2k7gaj2Jl8LMb8nL3gyg0nRz+lzR dUvbH/i1Sh25gL5RD4JefcLd3wfJB/+M0+QOdeGx7VDyDRy8JUjFAq+Bmg0ZVb9j RU8AiUKxCRciy2WZ0RrXx7M7yXqaktLnl9lSYx55bwx4UDslBPvP5jVe8zFRlhy3 yuxQoroXZkMyvPPxGmVyQrGJNHckDUulu4PpicWzUvSiF29DuBfnXBF+M+0HEERw PSeAre4Jvml1syPUPaBdwaReD6JnQj8E44d/EF1WlIItq36xxOUG2b9cVSTZAU+v H3tarqTQH8EPJNVoyZPm =4rOs -----END PGP SIGNATURE-----