Sorry for replying directly but I think you may want to read this. You have: Chain INPUT (policy DROP)
This should be ACCEPT instead of DROP. Try: iptables -P INPUT ACCEPT Then do the same for the FORWARD chain (if you want to get a "vanilla" configuration) On 05/07/2012 06:02 μμ, lina wrote: > On Thu, Jul 5, 2012 at 10:50 PM, Darac Marjal <mailingl...@darac.org.uk> > wrote: >> On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote: >>> Hi, >>> >>> What is the best way to turn off the iptables? >> # iptables --flush > I tried before. > > # iptables -F > # iptables -L > > Chain INPUT (policy DROP) > target prot opt source destination > > Chain FORWARD (policy DROP) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Seems It dropped all. I even can't connect to the internet. > > Where can I change the default? > >> will clear out all your iptables rules. >> >>> or come back to its default settings. Flush my current one. >>> >>> Since I tried to configure the iptables, I have encountered the >>> following problems: >>> >> [cut] >>> 2] The shutdown process in decades long. I mean it used to be fast to >>> shutdown, now need wait ~3 mins >>> >>> BTW, how to check the time of booting and shutting down? >> I'm not sure about shutting down, but try the bootchart2 package. >> That'll profile your booting and tell you all you need to know. >> >>> 3] My syslog is flooding with similar information (kernel: [ >>> 436.954509] --log-prefixIN=eth0 OUT= >>> MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212 >>> DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP >>> SPT=137 DPT=137 LEN=58 ). >> Ah, glad to see it's not just me seeing "--log-prefix" in the logs. This >> is bug #678499, I believe. >> >>> google showed me it's possible to put the log not in syslog. >>> >>> 4] Are there someone willing to sharing some iptables template, a bit >>> mature one with explaination. >>> >>> Thanks with best regards, >>> >>> P.S. The current one I used ( mainly adopted from >>> http://wiki.debian.org/iptables ), Here it is: >> [cut] >> >> Ah, looking at your firewall, I might see what your problem is with >> CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or >> at some other address. If you're using 127.0.0.1, then you still want >> line 5 enabled; the traffic should be using the loopback device or >> otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then >> you need to allow access to port 631 in the same way that you have >> allowed access to ports 80, 443 and 22. > # more iptables.up.rules > > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [0:0] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT > -A INPUT -m limit --limit 5/min -j LOG --log-prefix --log-prefix > -A INPUT -j REJECT --reject-with icmp-port-unreachable > -A FORWARD -j REJECT --reject-with icmp-port-unreachable > -A OUTPUT -j ACCEPT > COMMIT > > Still not work for CUPS or some other ports I opened. > > I found those information I googled most are quite old. > >> Enjoy >> > Thanks, > >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.10 (GNU/Linux) >> >> iQIcBAEBCgAGBQJP9am3AAoJEKB7YbRsd8TGiEUQAKSVOdm2BiavXlGTMz0xait9 >> g/WFxkEU1/cRORGusyN30LaShWY3WJqNoTSvpCzHA3w1UO9xwnYVFQ8RhRt3dF5K >> OLFrRkuAel9BKd8Xr4Uz0J4sOuBpOBne6PcLDCxVnT1xgEdktuuLhlvF1IGfw+Kq >> ECLeKffGnItRp9hgp6UkUKM8rqURfrWsUzG5LXsLT6c+4/I6ZruhINEo7NSx3TtY >> ANAFZ2Q0auUKEhXmcqZq+ay7u+d/Qb8DMzlmr752h5iCx5TaTSsyZFgjQJWWHqFp >> hJxNbxbkz5MlPgyZuM9U7Acj9dSDZt1AFAxxtMObjbbLXNkbkRhbJDojZeYHZPFf >> psq+YmC805tlD1+WmvOVXXQSrcJht7JWPoQQ2k7gaj2Jl8LMb8nL3gyg0nRz+lzR >> dUvbH/i1Sh25gL5RD4JefcLd3wfJB/+M0+QOdeGx7VDyDRy8JUjFAq+Bmg0ZVb9j >> RU8AiUKxCRciy2WZ0RrXx7M7yXqaktLnl9lSYx55bwx4UDslBPvP5jVe8zFRlhy3 >> yuxQoroXZkMyvPPxGmVyQrGJNHckDUulu4PpicWzUvSiF29DuBfnXBF+M+0HEERw >> PSeAre4Jvml1syPUPaBdwaReD6JnQj8E44d/EF1WlIItq36xxOUG2b9cVSTZAU+v >> H3tarqTQH8EPJNVoyZPm >> =4rOs >> -----END PGP SIGNATURE----- >> > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff6f314.9020...@gmail.com
