or come back to its default settings. Flush my current one.
Since I tried to configure the iptables, I have encountered the
following problems:
1] I can't access the cups and some other ports I opened in localhost.
I comment the line 5 still not work.
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that
doesn't use lo0
4 -A INPUT -i lo -j ACCEPT
5 #-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
2] The shutdown process in decades long. I mean it used to be fast to
shutdown, now need wait ~3 mins
BTW, how to check the time of booting and shutting down?
3] My syslog is flooding with similar information (kernel: [
436.954509] --log-prefixIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212
DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP
SPT=137 DPT=137 LEN=58 ).
google showed me it's possible to put the log not in syslog.
4] Are there someone willing to sharing some iptables template, a bit
mature one with explaination.
Thanks with best regards,
P.S. The current one I used ( mainly adopted from
http://wiki.debian.org/iptables ), Here it is:
1 *filter
2
3 # Allow all loopback (lo0) traffic and drop all traffic to 127/8
that doesn't use lo0
4 -A INPUT -i lo -j ACCEPT
5 #-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
6
7 # Accept all established inbound connections
8 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
9
10 # Allows all outbound traffic
11 # You could modify this to only allow certain traffic
12 -A OUTPUT -j ACCEPT
13
14 # Allow HTTP and HTTPS connections from anywhere (the normal ports
for websites)
15 -A INPUT -p tcp --dport 80 -j ACCEPT
16 -A INPUT -p tcp --dport 443 -j ACCEPT
17
18 # Allow SSH connections
19 #-A INPUT -p tcp --dport 22 -j ACCEPT
20 -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
21
22 # Allow ping
23 -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
24
25 # log iptables denied calls (access via 'dmesg' command)
26 -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
denied: " --log-level warning
27
28 # Reject all other inbound - default deny unless explicitly allowed policy:
29 -A INPUT -j REJECT
30 -A FORWARD -j REJECT
31
32 COMMIT
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAG9cJmmxpJmj7PxNi=7Cp1A-3qFKbQZVKUjO5AmWwugTpLRmvA@mail.gmail.com
07-05-2012, 02:50 PM
Darac Marjal
What is the best way to turn off the iptables
On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote:
> Hi,
>
> What is the best way to turn off the iptables?
# iptables --flush
will clear out all your iptables rules.
>
> or come back to its default settings. Flush my current one.
>
> Since I tried to configure the iptables, I have encountered the
> following problems:
>
[cut]
>
> 2] The shutdown process in decades long. I mean it used to be fast to
> shutdown, now need wait ~3 mins
>
> BTW, how to check the time of booting and shutting down?
I'm not sure about shutting down, but try the bootchart2 package.
That'll profile your booting and tell you all you need to know.
>
> 3] My syslog is flooding with similar information (kernel: [
> 436.954509] --log-prefixIN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212
> DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP
> SPT=137 DPT=137 LEN=58 ).
Ah, glad to see it's not just me seeing "--log-prefix" in the logs. This
is bug #678499, I believe.
>
> google showed me it's possible to put the log not in syslog.
>
> 4] Are there someone willing to sharing some iptables template, a bit
> mature one with explaination.
>
> Thanks with best regards,
>
> P.S. The current one I used ( mainly adopted from
> http://wiki.debian.org/iptables ), Here it is:
[cut]
Ah, looking at your firewall, I might see what your problem is with
CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or
at some other address. If you're using 127.0.0.1, then you still want
line 5 enabled; the traffic should be using the loopback device or
otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then
you need to allow access to port 631 in the same way that you have
allowed access to ports 80, 443 and 22.
Enjoy
07-05-2012, 03:02 PM
lina
What is the best way to turn off the iptables
On Thu, Jul 5, 2012 at 10:50 PM, Darac Marjal <mailinglist@darac.org.uk> wrote:
> On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote:
>> Hi,
>>
>> What is the best way to turn off the iptables?
>
> # iptables --flush
Seems It dropped all. I even can't connect to the internet.
Where can I change the default?
>
> will clear out all your iptables rules.
>
>>
>> or come back to its default settings. Flush my current one.
>>
>> Since I tried to configure the iptables, I have encountered the
>> following problems:
>>
> [cut]
>>
>> 2] The shutdown process in decades long. I mean it used to be fast to
>> shutdown, now need wait ~3 mins
>>
>> BTW, how to check the time of booting and shutting down?
>
> I'm not sure about shutting down, but try the bootchart2 package.
> That'll profile your booting and tell you all you need to know.
>
>>
>> 3] My syslog is flooding with similar information (kernel: [
>> 436.954509] --log-prefixIN=eth0 OUT=
>> MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212
>> DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP
>> SPT=137 DPT=137 LEN=58 ).
>
> Ah, glad to see it's not just me seeing "--log-prefix" in the logs. This
> is bug #678499, I believe.
>
>>
>> google showed me it's possible to put the log not in syslog.
>>
>> 4] Are there someone willing to sharing some iptables template, a bit
>> mature one with explaination.
>>
>> Thanks with best regards,
>>
>> P.S. The current one I used ( mainly adopted from
>> http://wiki.debian.org/iptables ), Here it is:
> [cut]
>
> Ah, looking at your firewall, I might see what your problem is with
> CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or
> at some other address. If you're using 127.0.0.1, then you still want
> line 5 enabled; the traffic should be using the loopback device or
> otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then
> you need to allow access to port 631 in the same way that you have
> allowed access to ports 80, 443 and 22.
# more iptables.up.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix --log-prefix
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
Still not work for CUPS or some other ports I opened.
I found those information I googled most are quite old.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAG9cJm=NNuGPLb0Jja8KZRqnE6jE4Ttmwp+yyLhepTfdrHWsx w@mail.gmail.com
07-05-2012, 03:02 PM
Mika Suomalainen
What is the best way to turn off the iptables
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
On 05.07.2012 17:28, lina wrote:
> Hi,
>
> What is the best way to turn off the iptables?
I think that iptables cannot be turned off.
> or come back to its default settings. Flush my current one.
iptables --flush
removes all rules in all chains. This might be dangerous, but if
something bad happens, rebooting should fix it. If you didn't try
rebooting yet, I suggest you to try it just in case.
> Since I tried to configure the iptables, I have encountered the
> following problems:
<...>
> 4] Are there someone willing to sharing some iptables template, a
> bit mature one with explaination.
I use ufw, which is iptables frontend. If I want to allow access to
for example port 22, I just run "ufw allow 22", which allows access to
both TCP and UDP port 22. It's also possible to limit that allowing
access to TCP or UDP port with for example "ufw allows 22/tcp".
If you are interested, see https://help.ubuntu.com/community/UFW *
*= Yes, I know that that is Ubuntu guide, but same commands work with
Debian after you install package ufw.
> Thanks with best regards,
<...>
- --
Mika Suomalainen
NOTICE! I am on mobile broadband with very limited time, so I cannot
read emails very much.
The best time to contact me is probably weekends when I have better
connectivity with good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Homepage: http://mkaysi.github.com/
Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728
Comment: Public key: http://mkaysi.github.com/PGP/key.txt
Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728
Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
Comment: Please send plaintext instead of HTML. http://git.io/TAc0cg
Comment: Please don't toppost. http://git.io/7-VB3g
Comment: Charset of this message should be UTF-8.
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4FF5AC9F.7020209@hotmail.com">http://lists.debian.org/4FF5AC9F.7020209@hotmail.com
07-05-2012, 03:08 PM
lina
What is the best way to turn off the iptables
On Thu, Jul 5, 2012 at 11:02 PM, Mika Suomalainen
<mika.henrik.mainio@hotmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> On 05.07.2012 17:28, lina wrote:
>> Hi,
>>
>> What is the best way to turn off the iptables?
>
> I think that iptables cannot be turned off.
>
>> or come back to its default settings. Flush my current one.
>
> iptables --flush
> removes all rules in all chains. This might be dangerous, but if
> something bad happens, rebooting should fix it. If you didn't try
> rebooting yet, I suggest you to try it just in case.
Seems the iptables settings works immediately, no need reboot.
I guess I read online hours ago about its process is "embedded" in
kernel. (sorry, embedded is not the original description, just my
"composed" understanding.)
>
> <...>
>> 4] Are there someone willing to sharing some iptables template, a
>> bit mature one with explaination.
>
> I use ufw, which is iptables frontend. If I want to allow access to
> for example port 22, I just run "ufw allow 22", which allows access to
> both TCP and UDP port 22. It's also possible to limit that allowing
> access to TCP or UDP port with for example "ufw allows 22/tcp".
I installed the ufw hours ago, I can't remember which reason made me purge it.
I will re-consider it.
Thanks again,
>
> If you are interested, see https://help.ubuntu.com/community/UFW *
> *= Yes, I know that that is Ubuntu guide, but same commands work with
> Debian after you install package ufw.
>
>
>
>> Thanks with best regards,
> <...>
>
>
> - --
> Mika Suomalainen
>
> NOTICE! I am on mobile broadband with very limited time, so I cannot
> read emails very much.
> The best time to contact me is probably weekends when I have better
> connectivity with good luck.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.19 (GNU/Linux)
> Comment: Homepage: http://mkaysi.github.com/
> Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728
> Comment: Public key: http://mkaysi.github.com/PGP/key.txt
> Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728
> Comment: Why do I (clear)sign emails? http://git.io/6FLzWg
> Comment: Please send plaintext instead of HTML. http://git.io/TAc0cg
> Comment: Please don't toppost. http://git.io/7-VB3g
> Comment: Charset of this message should be UTF-8.
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJP9aydAAoJEE21PP6CpGcoyfIP/1/NYBRKW5jaPitmWz8COnF6
> EBAsOxtLpjrm9UenAjuOyE6nIz52WDtSHieylJjpQEqKIumwms PpFOy2QNR0YmAo
> kThuAN+xALfQsHz0HbpOtgaKMOzDEN9GJT3T1vgZSEgzbKllwt Lt3HahRzF+MN6R
> 6Hsy/msiSPj6Jpw+Z3LTLM1cZsJF5ZPJVGD3Do1s84tq6tuJwg2sdJW i0zSnWEd3
> c2zOnWWVo3A2r4vklJxJiEiQkeMAxYLyaJCOXtTmeKOOggFoCp RUydX8uUVLIAC7
> gi99JPkIHQelh1pcc0Qmk3/TpInazIH+BoAOGuyBxeT9K3Zois2IfoiW34aFdoWs
> eG77ubjnr+f4x8TJiwzI1lGwAjPqyxnvPtOGv8kP3qaOinlvcv baU3or5hEdwA25
> 1pfjfcmKEjKOldjtUcj0Gj14k/84EUde+NGegJZe0M/YgVwFwrfSwdbloh3m0gbN
> Jss4j9vPF/sqIs4ODc3iuLH2rLyj7JqurhaXa/wbRaLptSelTxj2b7pP7t7QZKGw
> UqjcX3iM6wzWnU3ZJiIbJvWyVHqcHbnToGBVfuOh5l2eI2WynX tPsggcj4Ih8huK
> ba31diAAQZuOLE3p1AujetFHBt2IxiDMMIbFz0eOtfiSK2jrqK ELjEpJXNfo/zco
> Gi9E+Nic5vpIPplpR6oI
> =lS1/
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/4FF5AC9F.7020209@hotmail.com
>
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAG9cJmnoUS_2em71VyNkW9w2_VYGq4U4jajOW_hg-_sQioqF-g@mail.gmail.com">http://lists.debian.org/CAG9cJmnoUS_2em71VyNkW9w2_VYGq4U4jajOW_hg-_sQioqF-g@mail.gmail.com
07-05-2012, 04:33 PM
Brian
What is the best way to turn off the iptables
On Thu 05 Jul 2012 at 22:28:43 +0800, lina wrote:
> Hi,
>
> What is the best way to turn off the iptables?
>
> or come back to its default settings. Flush my current one.
Depends on what rules you have set up.
iptables -F
and
iptables -X
should do it for you.
> 4] Are there someone willing to sharing some iptables template, a bit
> mature one with explaination.
There might be but you do not really want to use someone else's rules.
Have you given any thought as to what you want to achieve, apart from
some hazy (and probably mistaken) idea that you might be safer? As far I
can see you have a couple of services running. Services are meant to be
accessed but restrictions on access can generally be set in their
configuration files. Try defining and saying exactly what it is you
want netfilter/iptables to do for you.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120705163337.GE28931@desktop
07-05-2012, 04:36 PM
Brian
What is the best way to turn off the iptables
On Thu 05 Jul 2012 at 23:02:19 +0800, lina wrote:
> Chain INPUT (policy DROP)
> target prot opt source destination
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Seems It dropped all. I even can't connect to the internet.
You've been playing with ufw, haven't you? Purge it to get a sane policy.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20120705163651.GF28931@desktop
07-05-2012, 04:54 PM
Anand Sivaram
What is the best way to turn off the iptables
On Thu, Jul 5, 2012 at 10:06 PM, Brian <ad44@cityscape.co.uk> wrote:
You could always flush/remove all the rules. *But my suggestion is to *understand why it is blocking you.
You could do that byiptables -L -vnthis prints the packets stats against each rule.
Another handy tool is netcat. *Combining both of these you could easily*debug iptables scenario.For example to see your loopback scenario do the following in two shells
shell1: nc -l -p 5000 # listen on port 5000shell2: echo 'hello' | nc 127.0.0.1 5000 #send something to loopback port 5000
The message should be printed on shell1 and if you type something on shell1*it should come back to shell2 also.
If it is coming or not, analyze the packet stats, see it is increased against*which rule.
--
http://saurorja.org
Twitter: @anand_sivaram
07-05-2012, 08:01 PM
Joe
What is the best way to turn off the iptables
On Thu, 5 Jul 2012 22:28:43 +0800
lina <lina.lastname@gmail.com> wrote:
> Hi,
>
> What is the best way to turn off the iptables?
>
> or come back to its default settings. Flush my current one.
>
Which leaves you wide open, but that is no worse than you were a few
days ago.
> Since I tried to configure the iptables, I have encountered the
> following problems:
>
> 1] I can't access the cups and some other ports I opened in localhost.
>
I'd go along with the others and suggest you start again, with a
skeleton script and add things one at a time. Sprinkle in a fair few
logging rules to help get some idea what is going on. I use logging a
lot, for troubleshooting connections which don't really need a packet
sniffer.
Here's an outline of one of my scripts, which really ought to work as
I've just lifted it from my firewall-server and removed a lot of the
site-specific stuff and the more obscure aggression. You don't need any
FORWARD or NAT sections in a workstation script, I've left them in in
case someone else is doing a two-NIC firewall.
I've defined a number of chains (many more than shown here), as a
firewall-server is quite busy, and it helps to see what's happening in
a large script. Think of subroutines in a program. There's also a
virtual machine living in here, and an OpenVPN termination, as well as
a wireless access point in the network, and there really is no choice
but to be at least a bit organised. Down with spaghetti firewalling...
# various shell variable definitions:
# LanIF, InetIF, ExtIP etc....
# all in one place to make changes easier
# I hate doing search-and-replace in a large iptables script,
# it's too easy to make mistakes
# Assorted unwanted
iptables -A OUTPUT -m state --state INVALID -j badpacket
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j newnotsyn
# ports and protocols to accept here
# followed by:
#iptables -A OUTPUT -j LOG --log-level debug --log-prefix "OUTPUT
DIED:"
#iptables -A OUTPUT -j DROP
# but I'm currently accepting everything going out,
iptables -A OUTPUT -j ACCEPT
#******************************
# nat table chains
# Port/protocol forwarding into LAN
#iptables -t nat -A PREROUTING -p tcp -i $InetIF -d $ExtIP --dport 1723
-j DNAT --to-destination $VPNServ:1723
#iptables -t nat -A PREROUTING -p 47 -i $InetIF -d $ExtIP -j DNAT
--to-destination $VPNServ
It is a bit simplified, but you can add further restrictions (e.g. lo,
the private address ranges, icmp etc.) once you have everything working.
--
Joe
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120705210144.270d513e@jretrading.com">http://lists.debian.org/20120705210144.270d513e@jretrading.com
07-06-2012, 03:45 AM
lina
What is the best way to turn off the iptables
>
> You could always flush/remove all the rules. But my suggestion is to
> understand why it is blocking you.
> You could do that by
> iptables -L -vn
> this prints the packets stats against each rule.
> Another handy tool is netcat. Combining both of these you could easily
> debug iptables scenario.
> For example to see your loopback scenario do the following in two shells
>
> shell1: nc -l -p 5000 # listen on port 5000
> shell2: echo 'hello' | nc 127.0.0.1 5000 #send something to loopback port
> 5000
> The message should be printed on shell1 and if you type something on shell1
> it should come back to shell2 also.
>
> If it is coming or not, analyze the packet stats, see it is increased
> against which rule.
I don't know how to analy/follow the packet states.
Thanks,
>
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAG9cJm=UWQ1iMDJ4wTuS-_5vmE9TFKBX5+rXQ87Fem1a0GLUYQ@mail.gmail.com
What is the best way to turn off the iptables
