Re: What is the best way to turn off the iptables

To: lina <lina.lastname@gmail.com>
Cc: debian-user@lists.debian.org
Subject: Re: What is the best way to turn off the iptables
From: Panayiotis Karabassis <panayk@gmail.com>
Date: Fri, 06 Jul 2012 17:15:48 +0300
Message-id: <[🔎] 4FF6F314.9020204@gmail.com>
In-reply-to: <[🔎] CAG9cJm=NNuGPLb0Jja8KZRqnE6jE4Ttmwp+yyLhepTfdrHWsxw@mail.gmail.com>
References: <[🔎] CAG9cJmmxpJmj7PxNi=7Cp1A-3qFKbQZVKUjO5AmWwugTpLRmvA@mail.gmail.com> <[🔎] 20120705145031.GA31630@darac.org.uk> <[🔎] CAG9cJm=NNuGPLb0Jja8KZRqnE6jE4Ttmwp+yyLhepTfdrHWsxw@mail.gmail.com>

Sorry for replying directly but I think you may want to read this.

You have:
Chain INPUT (policy DROP)

This should be ACCEPT instead of DROP. Try:

iptables -P INPUT ACCEPT

Then do the same for the FORWARD chain (if you want to get a "vanilla"
configuration)

On 05/07/2012 06:02 μμ, lina wrote:
> On Thu, Jul 5, 2012 at 10:50 PM, Darac Marjal <mailinglist@darac.org.uk> wrote:
>> On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote:
>>> Hi,
>>>
>>> What is the best way to turn off the iptables?
>> # iptables --flush
> I tried before.
>
> # iptables -F
> # iptables -L
>
> Chain INPUT (policy DROP)
> target     prot opt source               destination
>
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Seems It dropped all. I even can't connect to the internet.
>
> Where can I change the default?
>
>> will clear out all your iptables rules.
>>
>>> or come back to its default settings. Flush my current one.
>>>
>>> Since I tried to configure the iptables, I have encountered the
>>> following problems:
>>>
>> [cut]
>>> 2] The shutdown process in decades long. I mean it used to be fast to
>>> shutdown, now need wait ~3 mins
>>>
>>> BTW, how to check the time of booting and shutting down?
>> I'm not sure about shutting down, but try the bootchart2 package.
>> That'll profile your booting and tell you all you need to know.
>>
>>> 3] My syslog is flooding with similar information (kernel: [
>>> 436.954509] --log-prefixIN=eth0 OUT=
>>> MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212
>>> DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP
>>> SPT=137 DPT=137 LEN=58 ).
>> Ah, glad to see it's not just me seeing "--log-prefix" in the logs. This
>> is bug #678499, I believe.
>>
>>> google showed me it's possible to put the log not in syslog.
>>>
>>> 4] Are there someone willing to sharing some iptables template, a bit
>>> mature one with explaination.
>>>
>>> Thanks with best regards,
>>>
>>> P.S. The current one I used ( mainly adopted from
>>> http://wiki.debian.org/iptables ), Here it is:
>> [cut]
>>
>> Ah, looking at your firewall, I might see what your problem is with
>> CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or
>> at some other address. If you're using 127.0.0.1, then you still want
>> line 5 enabled; the traffic should be using the loopback device or
>> otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then
>> you need to allow access to port 631 in the same way that you have
>> allowed access to ports 80, 443 and 22.
> # more iptables.up.rules
>
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A INPUT -m limit --limit 5/min -j LOG --log-prefix --log-prefix
> -A INPUT -j REJECT --reject-with icmp-port-unreachable
> -A FORWARD -j REJECT --reject-with icmp-port-unreachable
> -A OUTPUT -j ACCEPT
> COMMIT
>
> Still not work for CUPS or some other ports I opened.
>
> I found those information I googled most are quite old.
>
>> Enjoy
>>
> Thanks,
>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>>
>> iQIcBAEBCgAGBQJP9am3AAoJEKB7YbRsd8TGiEUQAKSVOdm2BiavXlGTMz0xait9
>> g/WFxkEU1/cRORGusyN30LaShWY3WJqNoTSvpCzHA3w1UO9xwnYVFQ8RhRt3dF5K
>> OLFrRkuAel9BKd8Xr4Uz0J4sOuBpOBne6PcLDCxVnT1xgEdktuuLhlvF1IGfw+Kq
>> ECLeKffGnItRp9hgp6UkUKM8rqURfrWsUzG5LXsLT6c+4/I6ZruhINEo7NSx3TtY
>> ANAFZ2Q0auUKEhXmcqZq+ay7u+d/Qb8DMzlmr752h5iCx5TaTSsyZFgjQJWWHqFp
>> hJxNbxbkz5MlPgyZuM9U7Acj9dSDZt1AFAxxtMObjbbLXNkbkRhbJDojZeYHZPFf
>> psq+YmC805tlD1+WmvOVXXQSrcJht7JWPoQQ2k7gaj2Jl8LMb8nL3gyg0nRz+lzR
>> dUvbH/i1Sh25gL5RD4JefcLd3wfJB/+M0+QOdeGx7VDyDRy8JUjFAq+Bmg0ZVb9j
>> RU8AiUKxCRciy2WZ0RrXx7M7yXqaktLnl9lSYx55bwx4UDslBPvP5jVe8zFRlhy3
>> yuxQoroXZkMyvPPxGmVyQrGJNHckDUulu4PpicWzUvSiF29DuBfnXBF+M+0HEERw
>> PSeAre4Jvml1syPUPaBdwaReD6JnQj8E44d/EF1WlIItq36xxOUG2b9cVSTZAU+v
>> H3tarqTQH8EPJNVoyZPm
>> =4rOs
>> -----END PGP SIGNATURE-----
>>
>

Reply to:

Follow-Ups:
- Re: What is the best way to turn off the iptables
  - From: lina <lina.lastname@gmail.com>

References:
- What is the best way to turn off the iptables
  - From: lina <lina.lastname@gmail.com>
- Re: What is the best way to turn off the iptables
  - From: Darac Marjal <mailinglist@darac.org.uk>
- Re: What is the best way to turn off the iptables
  - From: lina <lina.lastname@gmail.com>

Prev by Date: Re: ot: slightly, is debian tied to a nonprofit?
Next by Date: Re: Alternative(s) to VirtualBox
Previous by thread: Re: What is the best way to turn off the iptables
Next by thread: Re: What is the best way to turn off the iptables
Index(es):
- Date
- Thread