On Fri, Jul 6, 2012 at 4:01 AM, Joe <j...@jretrading.com> wrote: > On Thu, 5 Jul 2012 22:28:43 +0800 > lina <lina.lastn...@gmail.com> wrote: > >> Hi, >> >> What is the best way to turn off the iptables? >> >> or come back to its default settings. Flush my current one. >> > > This is the script I use: > > #!/bin/sh > #/etc/iptables/iptables.flush > iptables -t filter -F > iptables -t filter -X > iptables -t nat -F > iptables -t nat -X > iptables -t mangle -F > iptables -t mangle -X > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT > > Which leaves you wide open, but that is no worse than you were a few > days ago.
I follow above advice, :/etc/iptables# more iptables.flush #!/bin/bash # /etc/iptables/iptables.flush IPT=/sbin/iptables $IPT -t filter -F $IPT -t filter -X $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT Now the # iptables -L -vn Chain INPUT (policy ACCEPT 9051 packets, 902K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1234 packets, 133K bytes) pkts bytes target prot opt in out source destination I still can't open the localhost ports. Strange? Thanks, > >> Since I tried to configure the iptables, I have encountered the >> following problems: >> >> 1] I can't access the cups and some other ports I opened in localhost. >> > > I'd go along with the others and suggest you start again, with a > skeleton script and add things one at a time. Sprinkle in a fair few > logging rules to help get some idea what is going on. I use logging a > lot, for troubleshooting connections which don't really need a packet > sniffer. > > Here's an outline of one of my scripts, which really ought to work as > I've just lifted it from my firewall-server and removed a lot of the > site-specific stuff and the more obscure aggression. You don't need any > FORWARD or NAT sections in a workstation script, I've left them in in > case someone else is doing a two-NIC firewall. > > I've defined a number of chains (many more than shown here), as a > firewall-server is quite busy, and it helps to see what's happening in > a large script. Think of subroutines in a program. There's also a > virtual machine living in here, and an OpenVPN termination, as well as > a wireless access point in the network, and there really is no choice > but to be at least a bit organised. Down with spaghetti firewalling... > > __________________________________________________________________ > #!/bin/sh > # /etc/iptables/iptables.rules > > # IP configuration > > # various shell variable definitions: > # LanIF, InetIF, ExtIP etc.... > # all in one place to make changes easier > # I hate doing search-and-replace in a large iptables script, > # it's too easy to make mistakes > > #**************************************************** > > # Set default policies for built-in chains > > # belt and braces, as the chains do have their own terminators > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT DROP > > #**************************************************** > > # Remove existing rules and user-defined chains > > iptables -t filter -F > iptables -t filter -X > iptables -t nat -F > iptables -t nat -X > iptables -t mangle -F > iptables -t mangle -X > > #************************************************ > # User-defined chains > #************************************************ > > # Log and dispose of > > iptables -N newnotsyn > iptables -A newnotsyn -j LOG --log-level debug --log-prefix "NEW NOT > SYN:" > iptables -A newnotsyn -j DROP > > iptables -N badpacket > iptables -A badpacket -j DROP > > #************************************************ > # Built-in chains > #************************************************ > # filter table INPUT chain > > # Assorted unwanted > iptables -A INPUT -m state --state INVALID -j badpacket > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j newnotsyn > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -i lo -j ACCEPT > > # ports and protocols to accept from anywhere... > iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug > --log-prefix "SSH ACCEPTED:" > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > > # a firewall-server will have a list of additional ports and protocols > # accepted from the [hopefully trusted] machines in the LAN here > > iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT DIED:" > iptables -A INPUT -j DROP > > #****************************** > # filter table FORWARD chain > > # Assorted unwanted > iptables -A FORWARD -m state --state INVALID -j badpacket > iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j newnotsyn > > # Replies OK > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > # Lists of forwarding in and out permitted here, > # easiest if in separate chains... > > iptables -A FORWARD -j LOG --log-level debug --log-prefix "FORWARD > DIED:" > iptables -A FORWARD -j DROP > > #****************************** > # filter table OUTPUT chain > > # Assorted unwanted > iptables -A OUTPUT -m state --state INVALID -j badpacket > iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j newnotsyn > > # ports and protocols to accept here > # followed by: > #iptables -A OUTPUT -j LOG --log-level debug --log-prefix "OUTPUT > DIED:" > #iptables -A OUTPUT -j DROP > > # but I'm currently accepting everything going out, > iptables -A OUTPUT -j ACCEPT > > #****************************** > > # nat table chains > > # Port/protocol forwarding into LAN > #iptables -t nat -A PREROUTING -p tcp -i $InetIF -d $ExtIP --dport 1723 > -j DNAT --to-destination $VPNServ:1723 > #iptables -t nat -A PREROUTING -p 47 -i $InetIF -d $ExtIP -j DNAT > --to-destination $VPNServ > > # squid transparent web proxy > iptables -t nat -A PREROUTING -i $LanIF -p tcp --dport 80 -j REDIRECT > --to-port 3128 > # Network NAT > iptables -t nat -A POSTROUTING -o $InetIF -j SNAT --to-source $ExtIP > > #***************************************************** > > echo "Firewall rules loaded" > > ______________________________________________________________________ > > It is a bit simplified, but you can add further restrictions (e.g. lo, > the private address ranges, icmp etc.) once you have everything working. Very nice rules. Thanks, > > -- > Joe > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/20120705210144.270d5...@jretrading.com > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAG9cJmk60FFF0RAjQ2LqgBz1eEOdTXLEed-5orRAMwPMC9W=9...@mail.gmail.com
