Le Fri, 6 Jul 2012 15:31:22 +0800, lina <lina.lastn...@gmail.com> a écrit :
> On Fri, Jul 6, 2012 at 4:01 AM, Joe <j...@jretrading.com> wrote: > > On Thu, 5 Jul 2012 22:28:43 +0800 > > lina <lina.lastn...@gmail.com> wrote: > > > >> Hi, > >> > >> What is the best way to turn off the iptables? > >> > >> or come back to its default settings. Flush my current one. > >> > > > > This is the script I use: > > > > #!/bin/sh > > #/etc/iptables/iptables.flush > > iptables -t filter -F > > iptables -t filter -X > > iptables -t nat -F > > iptables -t nat -X > > iptables -t mangle -F > > iptables -t mangle -X > > iptables -P INPUT ACCEPT > > iptables -P FORWARD ACCEPT > > iptables -P OUTPUT ACCEPT > > > > Which leaves you wide open, but that is no worse than you were a few > > days ago. > > I follow above advice, > > :/etc/iptables# more iptables.flush > #!/bin/bash > > # /etc/iptables/iptables.flush > > IPT=/sbin/iptables > > $IPT -t filter -F > $IPT -t filter -X > $IPT -P INPUT ACCEPT > $IPT -P FORWARD ACCEPT > $IPT -P OUTPUT ACCEPT > > Now the # iptables -L -vn > Chain INPUT (policy ACCEPT 9051 packets, 902K bytes) > pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 1234 packets, 133K bytes) > pkts bytes target prot opt in out source > destination > > I still can't open the localhost ports. Strange? > > Thanks, > > > > > >> Since I tried to configure the iptables, I have encountered the > >> following problems: > >> > >> 1] I can't access the cups and some other ports I opened in > >> localhost. > >> > > > > I'd go along with the others and suggest you start again, with a > > skeleton script and add things one at a time. Sprinkle in a fair few > > logging rules to help get some idea what is going on. I use logging > > a lot, for troubleshooting connections which don't really need a > > packet sniffer. > > > > Here's an outline of one of my scripts, which really ought to work > > as I've just lifted it from my firewall-server and removed a lot of > > the site-specific stuff and the more obscure aggression. You don't > > need any FORWARD or NAT sections in a workstation script, I've left > > them in in case someone else is doing a two-NIC firewall. > > > > I've defined a number of chains (many more than shown here), as a > > firewall-server is quite busy, and it helps to see what's happening > > in a large script. Think of subroutines in a program. There's also a > > virtual machine living in here, and an OpenVPN termination, as well > > as a wireless access point in the network, and there really is no > > choice but to be at least a bit organised. Down with spaghetti > > firewalling... > > > > __________________________________________________________________ > > #!/bin/sh > > # /etc/iptables/iptables.rules > > > > # IP configuration > > > > # various shell variable definitions: > > # LanIF, InetIF, ExtIP etc.... > > # all in one place to make changes easier > > # I hate doing search-and-replace in a large iptables script, > > # it's too easy to make mistakes > > > > #**************************************************** > > > > # Set default policies for built-in chains > > > > # belt and braces, as the chains do have their own terminators > > iptables -P INPUT DROP > > iptables -P FORWARD DROP > > iptables -P OUTPUT DROP > > > > #**************************************************** > > > > # Remove existing rules and user-defined chains > > > > iptables -t filter -F > > iptables -t filter -X > > iptables -t nat -F > > iptables -t nat -X > > iptables -t mangle -F > > iptables -t mangle -X > > > > #************************************************ > > # User-defined chains > > #************************************************ > > > > # Log and dispose of > > > > iptables -N newnotsyn > > iptables -A newnotsyn -j LOG --log-level debug --log-prefix "NEW NOT > > SYN:" > > iptables -A newnotsyn -j DROP > > > > iptables -N badpacket > > iptables -A badpacket -j DROP > > > > #************************************************ > > # Built-in chains > > #************************************************ > > # filter table INPUT chain > > > > # Assorted unwanted > > iptables -A INPUT -m state --state INVALID -j badpacket > > iptables -A INPUT -p tcp ! --syn -m state --state NEW -j newnotsyn > > > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A INPUT -i lo -j ACCEPT > > > > # ports and protocols to accept from anywhere... > > iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug > > --log-prefix "SSH ACCEPTED:" > > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > > iptables -A INPUT -p tcp --dport 25 -j ACCEPT > > > > # a firewall-server will have a list of additional ports and > > protocols # accepted from the [hopefully trusted] machines in the > > LAN here > > > > iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT > > DIED:" iptables -A INPUT -j DROP > > > > #****************************** > > # filter table FORWARD chain > > > > # Assorted unwanted > > iptables -A FORWARD -m state --state INVALID -j badpacket > > iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j newnotsyn > > > > # Replies OK > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > # Lists of forwarding in and out permitted here, > > # easiest if in separate chains... > > > > iptables -A FORWARD -j LOG --log-level debug --log-prefix "FORWARD > > DIED:" > > iptables -A FORWARD -j DROP > > > > #****************************** > > # filter table OUTPUT chain > > > > # Assorted unwanted > > iptables -A OUTPUT -m state --state INVALID -j badpacket > > iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j newnotsyn > > > > # ports and protocols to accept here > > # followed by: > > #iptables -A OUTPUT -j LOG --log-level debug --log-prefix "OUTPUT > > DIED:" > > #iptables -A OUTPUT -j DROP > > > > # but I'm currently accepting everything going out, > > iptables -A OUTPUT -j ACCEPT > > > > #****************************** > > > > # nat table chains > > > > # Port/protocol forwarding into LAN > > #iptables -t nat -A PREROUTING -p tcp -i $InetIF -d $ExtIP --dport > > 1723 -j DNAT --to-destination $VPNServ:1723 > > #iptables -t nat -A PREROUTING -p 47 -i $InetIF -d $ExtIP -j DNAT > > --to-destination $VPNServ > > > > # squid transparent web proxy > > iptables -t nat -A PREROUTING -i $LanIF -p tcp --dport 80 -j > > REDIRECT --to-port 3128 > > # Network NAT > > iptables -t nat -A POSTROUTING -o $InetIF -j SNAT --to-source $ExtIP > > > > #***************************************************** > > > > echo "Firewall rules loaded" > > > > ______________________________________________________________________ > > > > It is a bit simplified, but you can add further restrictions (e.g. > > lo, the private address ranges, icmp etc.) once you have everything > > working. > > Very nice rules. Thanks, > > > > > -- > > Joe > > > > > > -- > > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact > > listmas...@lists.debian.org Archive: > > http://lists.debian.org/20120705210144.270d5...@jretrading.com > > > > Maybe nobody is listening to that ports? What does netstat -plunt returns you? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120706103414.3517b...@bruno.vf-online.local
