FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 07-05-2012, 02:28 PM
lina
 
Default What is the best way to turn off the iptables

Hi,

What is the best way to turn off the iptables?

or come back to its default settings. Flush my current one.

Since I tried to configure the iptables, I have encountered the
following problems:

1] I can't access the cups and some other ports I opened in localhost.

I comment the line 5 still not work.

# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that
doesn't use lo0
4 -A INPUT -i lo -j ACCEPT
5 #-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

2] The shutdown process in decades long. I mean it used to be fast to
shutdown, now need wait ~3 mins

BTW, how to check the time of booting and shutting down?

3] My syslog is flooding with similar information (kernel: [
436.954509] --log-prefixIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212
DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP
SPT=137 DPT=137 LEN=58 ).

google showed me it's possible to put the log not in syslog.

4] Are there someone willing to sharing some iptables template, a bit
mature one with explaination.

Thanks with best regards,

P.S. The current one I used ( mainly adopted from
http://wiki.debian.org/iptables ), Here it is:

1 *filter
2
3 # Allow all loopback (lo0) traffic and drop all traffic to 127/8
that doesn't use lo0
4 -A INPUT -i lo -j ACCEPT
5 #-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
6
7 # Accept all established inbound connections
8 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
9
10 # Allows all outbound traffic
11 # You could modify this to only allow certain traffic
12 -A OUTPUT -j ACCEPT
13
14 # Allow HTTP and HTTPS connections from anywhere (the normal ports
for websites)
15 -A INPUT -p tcp --dport 80 -j ACCEPT
16 -A INPUT -p tcp --dport 443 -j ACCEPT
17
18 # Allow SSH connections
19 #-A INPUT -p tcp --dport 22 -j ACCEPT
20 -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
21
22 # Allow ping
23 -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
24
25 # log iptables denied calls (access via 'dmesg' command)
26 -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
denied: " --log-level warning
27
28 # Reject all other inbound - default deny unless explicitly allowed policy:
29 -A INPUT -j REJECT
30 -A FORWARD -j REJECT
31
32 COMMIT


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAG9cJmmxpJmj7PxNi=7Cp1A-3qFKbQZVKUjO5AmWwugTpLRmvA@mail.gmail.com
 
Old 07-05-2012, 02:50 PM
Darac Marjal
 
Default What is the best way to turn off the iptables

On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote:
> Hi,
>
> What is the best way to turn off the iptables?

# iptables --flush

will clear out all your iptables rules.

>
> or come back to its default settings. Flush my current one.
>
> Since I tried to configure the iptables, I have encountered the
> following problems:
>
[cut]
>
> 2] The shutdown process in decades long. I mean it used to be fast to
> shutdown, now need wait ~3 mins
>
> BTW, how to check the time of booting and shutting down?

I'm not sure about shutting down, but try the bootchart2 package.
That'll profile your booting and tell you all you need to know.

>
> 3] My syslog is flooding with similar information (kernel: [
> 436.954509] --log-prefixIN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212
> DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP
> SPT=137 DPT=137 LEN=58 ).

Ah, glad to see it's not just me seeing "--log-prefix" in the logs. This
is bug #678499, I believe.

>
> google showed me it's possible to put the log not in syslog.
>
> 4] Are there someone willing to sharing some iptables template, a bit
> mature one with explaination.
>
> Thanks with best regards,
>
> P.S. The current one I used ( mainly adopted from
> http://wiki.debian.org/iptables ), Here it is:
[cut]

Ah, looking at your firewall, I might see what your problem is with
CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or
at some other address. If you're using 127.0.0.1, then you still want
line 5 enabled; the traffic should be using the loopback device or
otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then
you need to allow access to port 631 in the same way that you have
allowed access to ports 80, 443 and 22.

Enjoy
 
Old 07-05-2012, 03:02 PM
lina
 
Default What is the best way to turn off the iptables

On Thu, Jul 5, 2012 at 10:50 PM, Darac Marjal <mailinglist@darac.org.uk> wrote:
> On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote:
>> Hi,
>>
>> What is the best way to turn off the iptables?
>
> # iptables --flush

I tried before.

# iptables -F
# iptables -L

Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Seems It dropped all. I even can't connect to the internet.

Where can I change the default?

>
> will clear out all your iptables rules.
>
>>
>> or come back to its default settings. Flush my current one.
>>
>> Since I tried to configure the iptables, I have encountered the
>> following problems:
>>
> [cut]
>>
>> 2] The shutdown process in decades long. I mean it used to be fast to
>> shutdown, now need wait ~3 mins
>>
>> BTW, how to check the time of booting and shutting down?
>
> I'm not sure about shutting down, but try the bootchart2 package.
> That'll profile your booting and tell you all you need to know.
>
>>
>> 3] My syslog is flooding with similar information (kernel: [
>> 436.954509] --log-prefixIN=eth0 OUT=
>> MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212
>> DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP
>> SPT=137 DPT=137 LEN=58 ).
>
> Ah, glad to see it's not just me seeing "--log-prefix" in the logs. This
> is bug #678499, I believe.
>
>>
>> google showed me it's possible to put the log not in syslog.
>>
>> 4] Are there someone willing to sharing some iptables template, a bit
>> mature one with explaination.
>>
>> Thanks with best regards,
>>
>> P.S. The current one I used ( mainly adopted from
>> http://wiki.debian.org/iptables ), Here it is:
> [cut]
>
> Ah, looking at your firewall, I might see what your problem is with
> CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or
> at some other address. If you're using 127.0.0.1, then you still want
> line 5 enabled; the traffic should be using the loopback device or
> otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then
> you need to allow access to port 631 in the same way that you have
> allowed access to ports 80, 443 and 22.

# more iptables.up.rules

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix --log-prefix
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT

Still not work for CUPS or some other ports I opened.

I found those information I googled most are quite old.

>
> Enjoy
>
Thanks,

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIcBAEBCgAGBQJP9am3AAoJEKB7YbRsd8TGiEUQAKSVOdm2Bi avXlGTMz0xait9
> g/WFxkEU1/cRORGusyN30LaShWY3WJqNoTSvpCzHA3w1UO9xwnYVFQ8RhRt3 dF5K
> OLFrRkuAel9BKd8Xr4Uz0J4sOuBpOBne6PcLDCxVnT1xgEdktu uLhlvF1IGfw+Kq
> ECLeKffGnItRp9hgp6UkUKM8rqURfrWsUzG5LXsLT6c+4/I6ZruhINEo7NSx3TtY
> ANAFZ2Q0auUKEhXmcqZq+ay7u+d/Qb8DMzlmr752h5iCx5TaTSsyZFgjQJWWHqFp
> hJxNbxbkz5MlPgyZuM9U7Acj9dSDZt1AFAxxtMObjbbLXNkbkR hbJDojZeYHZPFf
> psq+YmC805tlD1+WmvOVXXQSrcJht7JWPoQQ2k7gaj2Jl8LMb8 nL3gyg0nRz+lzR
> dUvbH/i1Sh25gL5RD4JefcLd3wfJB/+M0+QOdeGx7VDyDRy8JUjFAq+Bmg0ZVb9j
> RU8AiUKxCRciy2WZ0RrXx7M7yXqaktLnl9lSYx55bwx4UDslBP vP5jVe8zFRlhy3
> yuxQoroXZkMyvPPxGmVyQrGJNHckDUulu4PpicWzUvSiF29DuB fnXBF+M+0HEERw
> PSeAre4Jvml1syPUPaBdwaReD6JnQj8E44d/EF1WlIItq36xxOUG2b9cVSTZAU+v
> H3tarqTQH8EPJNVoyZPm
> =4rOs
> -----END PGP SIGNATURE-----
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAG9cJm=NNuGPLb0Jja8KZRqnE6jE4Ttmwp+yyLhepTfdrHWsx w@mail.gmail.com
 
Old 07-05-2012, 03:02 PM
Mika Suomalainen
 
Default What is the best way to turn off the iptables

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 05.07.2012 17:28, lina wrote:
> Hi,
>
> What is the best way to turn off the iptables?

I think that iptables cannot be turned off.

> or come back to its default settings. Flush my current one.

iptables --flush
removes all rules in all chains. This might be dangerous, but if
something bad happens, rebooting should fix it. If you didn't try
rebooting yet, I suggest you to try it just in case.

> Since I tried to configure the iptables, I have encountered the
> following problems:
<...>
> 4] Are there someone willing to sharing some iptables template, a
> bit mature one with explaination.

I use ufw, which is iptables frontend. If I want to allow access to
for example port 22, I just run "ufw allow 22", which allows access to
both TCP and UDP port 22. It's also possible to limit that allowing
access to TCP or UDP port with for example "ufw allows 22/tcp".

If you are interested, see https://help.ubuntu.com/community/UFW *
*= Yes, I know that that is Ubuntu guide, but same commands work with
Debian after you install package ufw.



> Thanks with best regards,
<...>


- --
Mika Suomalainen

NOTICE! I am on mobile broadband with very limited time, so I cannot
read emails very much.
The best time to contact me is probably weekends when I have better
connectivity with good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Homepage: http://mkaysi.github.com/
Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728
Comment: Public key: http://mkaysi.github.com/PGP/key.txt
Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728
Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
Comment: Please send plaintext instead of HTML. http://git.io/TAc0cg
Comment: Please don't toppost. http://git.io/7-VB3g
Comment: Charset of this message should be UTF-8.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP9aydAAoJEE21PP6CpGcoyfIP/1/NYBRKW5jaPitmWz8COnF6
EBAsOxtLpjrm9UenAjuOyE6nIz52WDtSHieylJjpQEqKIumwms PpFOy2QNR0YmAo
kThuAN+xALfQsHz0HbpOtgaKMOzDEN9GJT3T1vgZSEgzbKllwt Lt3HahRzF+MN6R
6Hsy/msiSPj6Jpw+Z3LTLM1cZsJF5ZPJVGD3Do1s84tq6tuJwg2sdJW i0zSnWEd3
c2zOnWWVo3A2r4vklJxJiEiQkeMAxYLyaJCOXtTmeKOOggFoCp RUydX8uUVLIAC7
gi99JPkIHQelh1pcc0Qmk3/TpInazIH+BoAOGuyBxeT9K3Zois2IfoiW34aFdoWs
eG77ubjnr+f4x8TJiwzI1lGwAjPqyxnvPtOGv8kP3qaOinlvcv baU3or5hEdwA25
1pfjfcmKEjKOldjtUcj0Gj14k/84EUde+NGegJZe0M/YgVwFwrfSwdbloh3m0gbN
Jss4j9vPF/sqIs4ODc3iuLH2rLyj7JqurhaXa/wbRaLptSelTxj2b7pP7t7QZKGw
UqjcX3iM6wzWnU3ZJiIbJvWyVHqcHbnToGBVfuOh5l2eI2WynX tPsggcj4Ih8huK
ba31diAAQZuOLE3p1AujetFHBt2IxiDMMIbFz0eOtfiSK2jrqK ELjEpJXNfo/zco
Gi9E+Nic5vpIPplpR6oI
=lS1/
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FF5AC9F.7020209@hotmail.com">http://lists.debian.org/4FF5AC9F.7020209@hotmail.com
 
Old 07-05-2012, 03:08 PM
lina
 
Default What is the best way to turn off the iptables

On Thu, Jul 5, 2012 at 11:02 PM, Mika Suomalainen
<mika.henrik.mainio@hotmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> On 05.07.2012 17:28, lina wrote:
>> Hi,
>>
>> What is the best way to turn off the iptables?
>
> I think that iptables cannot be turned off.
>
>> or come back to its default settings. Flush my current one.
>
> iptables --flush
> removes all rules in all chains. This might be dangerous, but if
> something bad happens, rebooting should fix it. If you didn't try
> rebooting yet, I suggest you to try it just in case.

Seems the iptables settings works immediately, no need reboot.
I guess I read online hours ago about its process is "embedded" in
kernel. (sorry, embedded is not the original description, just my
"composed" understanding.)

>

> <...>
>> 4] Are there someone willing to sharing some iptables template, a
>> bit mature one with explaination.
>
> I use ufw, which is iptables frontend. If I want to allow access to
> for example port 22, I just run "ufw allow 22", which allows access to
> both TCP and UDP port 22. It's also possible to limit that allowing
> access to TCP or UDP port with for example "ufw allows 22/tcp".

I installed the ufw hours ago, I can't remember which reason made me purge it.
I will re-consider it.

Thanks again,
>
> If you are interested, see https://help.ubuntu.com/community/UFW *
> *= Yes, I know that that is Ubuntu guide, but same commands work with
> Debian after you install package ufw.
>
>
>
>> Thanks with best regards,
> <...>
>
>
> - --
> Mika Suomalainen
>
> NOTICE! I am on mobile broadband with very limited time, so I cannot
> read emails very much.
> The best time to contact me is probably weekends when I have better
> connectivity with good luck.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.19 (GNU/Linux)
> Comment: Homepage: http://mkaysi.github.com/
> Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728
> Comment: Public key: http://mkaysi.github.com/PGP/key.txt
> Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728
> Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
> Comment: Please send plaintext instead of HTML. http://git.io/TAc0cg
> Comment: Please don't toppost. http://git.io/7-VB3g
> Comment: Charset of this message should be UTF-8.
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJP9aydAAoJEE21PP6CpGcoyfIP/1/NYBRKW5jaPitmWz8COnF6
> EBAsOxtLpjrm9UenAjuOyE6nIz52WDtSHieylJjpQEqKIumwms PpFOy2QNR0YmAo
> kThuAN+xALfQsHz0HbpOtgaKMOzDEN9GJT3T1vgZSEgzbKllwt Lt3HahRzF+MN6R
> 6Hsy/msiSPj6Jpw+Z3LTLM1cZsJF5ZPJVGD3Do1s84tq6tuJwg2sdJW i0zSnWEd3
> c2zOnWWVo3A2r4vklJxJiEiQkeMAxYLyaJCOXtTmeKOOggFoCp RUydX8uUVLIAC7
> gi99JPkIHQelh1pcc0Qmk3/TpInazIH+BoAOGuyBxeT9K3Zois2IfoiW34aFdoWs
> eG77ubjnr+f4x8TJiwzI1lGwAjPqyxnvPtOGv8kP3qaOinlvcv baU3or5hEdwA25
> 1pfjfcmKEjKOldjtUcj0Gj14k/84EUde+NGegJZe0M/YgVwFwrfSwdbloh3m0gbN
> Jss4j9vPF/sqIs4ODc3iuLH2rLyj7JqurhaXa/wbRaLptSelTxj2b7pP7t7QZKGw
> UqjcX3iM6wzWnU3ZJiIbJvWyVHqcHbnToGBVfuOh5l2eI2WynX tPsggcj4Ih8huK
> ba31diAAQZuOLE3p1AujetFHBt2IxiDMMIbFz0eOtfiSK2jrqK ELjEpJXNfo/zco
> Gi9E+Nic5vpIPplpR6oI
> =lS1/
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/4FF5AC9F.7020209@hotmail.com
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAG9cJmnoUS_2em71VyNkW9w2_VYGq4U4jajOW_hg-_sQioqF-g@mail.gmail.com">http://lists.debian.org/CAG9cJmnoUS_2em71VyNkW9w2_VYGq4U4jajOW_hg-_sQioqF-g@mail.gmail.com
 
Old 07-05-2012, 04:33 PM
Brian
 
Default What is the best way to turn off the iptables

On Thu 05 Jul 2012 at 22:28:43 +0800, lina wrote:

> Hi,
>
> What is the best way to turn off the iptables?
>
> or come back to its default settings. Flush my current one.

Depends on what rules you have set up.

iptables -F

and

iptables -X

should do it for you.

> 4] Are there someone willing to sharing some iptables template, a bit
> mature one with explaination.

There might be but you do not really want to use someone else's rules.
Have you given any thought as to what you want to achieve, apart from
some hazy (and probably mistaken) idea that you might be safer? As far I
can see you have a couple of services running. Services are meant to be
accessed but restrictions on access can generally be set in their
configuration files. Try defining and saying exactly what it is you
want netfilter/iptables to do for you.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120705163337.GE28931@desktop
 
Old 07-05-2012, 04:36 PM
Brian
 
Default What is the best way to turn off the iptables

On Thu 05 Jul 2012 at 23:02:19 +0800, lina wrote:

> Chain INPUT (policy DROP)
> target prot opt source destination
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Seems It dropped all. I even can't connect to the internet.

You've been playing with ufw, haven't you? Purge it to get a sane policy.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120705163651.GF28931@desktop
 
Old 07-05-2012, 04:54 PM
Anand Sivaram
 
Default What is the best way to turn off the iptables

On Thu, Jul 5, 2012 at 10:06 PM, Brian <ad44@cityscape.co.uk> wrote:

On Thu 05 Jul 2012 at 23:02:19 +0800, lina wrote:



> Chain INPUT (policy DROP)

> target * * prot opt source * * * * * * * destination

>

> Chain FORWARD (policy DROP)

> target * * prot opt source * * * * * * * destination

>

> Chain OUTPUT (policy ACCEPT)

> target * * prot opt source * * * * * * * destination

>

> Seems It dropped all. I even can't connect to the internet.



You've been playing with ufw, haven't you? Purge it to get a sane policy.





--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: http://lists.debian.org/20120705163651.GF28931@desktop




You could always flush/remove all the rules. *But my suggestion is to *understand why it is blocking you.
You could do that byiptables -L -vnthis prints the packets stats against each rule.
Another handy tool is netcat. *Combining both of these you could easily*debug iptables scenario.For example to see your loopback scenario do the following in two shells

shell1: nc -l -p 5000 # listen on port 5000shell2: echo 'hello' | nc 127.0.0.1 5000 #send something to loopback port 5000
The message should be printed on shell1 and if you type something on shell1*it should come back to shell2 also.

If it is coming or not, analyze the packet stats, see it is increased against*which rule.


--
http://saurorja.org

Twitter: @anand_sivaram
 
Old 07-05-2012, 08:01 PM
Joe
 
Default What is the best way to turn off the iptables

On Thu, 5 Jul 2012 22:28:43 +0800
lina <lina.lastname@gmail.com> wrote:

> Hi,
>
> What is the best way to turn off the iptables?
>
> or come back to its default settings. Flush my current one.
>

This is the script I use:

#!/bin/sh
#/etc/iptables/iptables.flush
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Which leaves you wide open, but that is no worse than you were a few
days ago.

> Since I tried to configure the iptables, I have encountered the
> following problems:
>
> 1] I can't access the cups and some other ports I opened in localhost.
>

I'd go along with the others and suggest you start again, with a
skeleton script and add things one at a time. Sprinkle in a fair few
logging rules to help get some idea what is going on. I use logging a
lot, for troubleshooting connections which don't really need a packet
sniffer.

Here's an outline of one of my scripts, which really ought to work as
I've just lifted it from my firewall-server and removed a lot of the
site-specific stuff and the more obscure aggression. You don't need any
FORWARD or NAT sections in a workstation script, I've left them in in
case someone else is doing a two-NIC firewall.

I've defined a number of chains (many more than shown here), as a
firewall-server is quite busy, and it helps to see what's happening in
a large script. Think of subroutines in a program. There's also a
virtual machine living in here, and an OpenVPN termination, as well as
a wireless access point in the network, and there really is no choice
but to be at least a bit organised. Down with spaghetti firewalling...

__________________________________________________ ________________
#!/bin/sh
# /etc/iptables/iptables.rules

# IP configuration

# various shell variable definitions:
# LanIF, InetIF, ExtIP etc....
# all in one place to make changes easier
# I hate doing search-and-replace in a large iptables script,
# it's too easy to make mistakes

#************************************************* ***

# Set default policies for built-in chains

# belt and braces, as the chains do have their own terminators
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#************************************************* ***

# Remove existing rules and user-defined chains

iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

#************************************************
# User-defined chains
#************************************************

# Log and dispose of

iptables -N newnotsyn
iptables -A newnotsyn -j LOG --log-level debug --log-prefix "NEW NOT
SYN:"
iptables -A newnotsyn -j DROP

iptables -N badpacket
iptables -A badpacket -j DROP

#************************************************
# Built-in chains
#************************************************
# filter table INPUT chain

# Assorted unwanted
iptables -A INPUT -m state --state INVALID -j badpacket
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j newnotsyn

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# ports and protocols to accept from anywhere...
iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug
--log-prefix "SSH ACCEPTED:"
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT

# a firewall-server will have a list of additional ports and protocols
# accepted from the [hopefully trusted] machines in the LAN here

iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT DIED:"
iptables -A INPUT -j DROP

#******************************
# filter table FORWARD chain

# Assorted unwanted
iptables -A FORWARD -m state --state INVALID -j badpacket
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j newnotsyn

# Replies OK
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Lists of forwarding in and out permitted here,
# easiest if in separate chains...

iptables -A FORWARD -j LOG --log-level debug --log-prefix "FORWARD
DIED:"
iptables -A FORWARD -j DROP

#******************************
# filter table OUTPUT chain

# Assorted unwanted
iptables -A OUTPUT -m state --state INVALID -j badpacket
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j newnotsyn

# ports and protocols to accept here
# followed by:
#iptables -A OUTPUT -j LOG --log-level debug --log-prefix "OUTPUT
DIED:"
#iptables -A OUTPUT -j DROP

# but I'm currently accepting everything going out,
iptables -A OUTPUT -j ACCEPT

#******************************

# nat table chains

# Port/protocol forwarding into LAN
#iptables -t nat -A PREROUTING -p tcp -i $InetIF -d $ExtIP --dport 1723
-j DNAT --to-destination $VPNServ:1723
#iptables -t nat -A PREROUTING -p 47 -i $InetIF -d $ExtIP -j DNAT
--to-destination $VPNServ

# squid transparent web proxy
iptables -t nat -A PREROUTING -i $LanIF -p tcp --dport 80 -j REDIRECT
--to-port 3128
# Network NAT
iptables -t nat -A POSTROUTING -o $InetIF -j SNAT --to-source $ExtIP

#************************************************* ****

echo "Firewall rules loaded"

__________________________________________________ ____________________

It is a bit simplified, but you can add further restrictions (e.g. lo,
the private address ranges, icmp etc.) once you have everything working.

--
Joe


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120705210144.270d513e@jretrading.com">http://lists.debian.org/20120705210144.270d513e@jretrading.com
 
Old 07-06-2012, 03:45 AM
lina
 
Default What is the best way to turn off the iptables

>
> You could always flush/remove all the rules. But my suggestion is to
> understand why it is blocking you.
> You could do that by
> iptables -L -vn
> this prints the packets stats against each rule.
> Another handy tool is netcat. Combining both of these you could easily
> debug iptables scenario.
> For example to see your loopback scenario do the following in two shells
>
> shell1: nc -l -p 5000 # listen on port 5000
> shell2: echo 'hello' | nc 127.0.0.1 5000 #send something to loopback port
> 5000
> The message should be printed on shell1 and if you type something on shell1
> it should come back to shell2 also.
>
> If it is coming or not, analyze the packet stats, see it is increased
> against which rule.

$ echo 'hello' | nc 127.0.0.1 5000
(UNKNOWN) [127.0.0.1] 5000 (?) : Connection timed out

I don't know how to analy/follow the packet states.

Thanks,
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAG9cJm=UWQ1iMDJ4wTuS-_5vmE9TFKBX5+rXQ87Fem1a0GLUYQ@mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 11:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org