FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 09-15-2010, 01:30 PM
Christopher Chan
 
Default why is iptables still filtering after i disable the firewall?

Robert P. J. Day wrote:
> i suspect this is based on my unfamiliarity with the way ubuntu
> pre-10.10 deals with firewalls but i'm trying to simply ping from my
> ubuntu system to a centos 5.5 box on the same in-house wireless
> network and i'm getting icmp responses, "Destination Host
> Unreachable." yet i can ping the other way (centos -> ubuntu).

I would completely uninstall 'uncomplicated firewall' and restart the
network. Ubuntu's complicated approach to trying to make it simple for
users to setup firewall rules is just broken.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-15-2010, 01:42 PM
"Robert P. J. Day"
 
Default why is iptables still filtering after i disable the firewall?

On Wed, 15 Sep 2010, Christopher Chan wrote:

> Robert P. J. Day wrote:
> > i suspect this is based on my unfamiliarity with the way ubuntu
> > pre-10.10 deals with firewalls but i'm trying to simply ping from
> > my ubuntu system to a centos 5.5 box on the same in-house wireless
> > network and i'm getting icmp responses, "Destination Host
> > Unreachable." yet i can ping the other way (centos -> ubuntu).
>
> I would completely uninstall 'uncomplicated firewall' and restart
> the network. Ubuntu's complicated approach to trying to make it
> simple for users to setup firewall rules is just broken.

then what would be the incantation for disabling iptables entirely?
i can only *guess* that this is what's causing my problem as i can't
think of any other reason for not being able to ping out.

rday

--

================================================== ======================
Robert P. J. Day Waterloo, Ontario, CANADA

Top-notch, inexpensive online Linux/OSS/kernel courses
http://crashcourse.ca

Twitter: http://twitter.com/rpjday
LinkedIn: http://ca.linkedin.com/in/rpjday
================================================== ======================

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-15-2010, 02:09 PM
"Robert P. J. Day"
 
Default why is iptables still filtering after i disable the firewall?

On Wed, 15 Sep 2010, Christopher Chan wrote:

> Robert P. J. Day wrote:
> > i suspect this is based on my unfamiliarity with the way ubuntu
> > pre-10.10 deals with firewalls but i'm trying to simply ping from
> > my ubuntu system to a centos 5.5 box on the same in-house wireless
> > network and i'm getting icmp responses, "Destination Host
> > Unreachable." yet i can ping the other way (centos -> ubuntu).
>
> I would completely uninstall 'uncomplicated firewall' and restart
> the network. Ubuntu's complicated approach to trying to make it
> simple for users to setup firewall rules is just broken.

ok, i'm still slightly confused but for a different reason. recall
that i couldn't ssh or even ping from the ubuntu box to the centos
box, ping worked fine coming the other way.

finally, i ssh'ed in from centos to ubuntu, was asked that first
time to authenticate, RSA key fingerprint, added to known hosts, etc,
etc, you all know the drill. and, suddenly, i can ping and ssh from
ubuntu to centos.

from memory, i recall that there's a setting somewhere under
/etc/ssh that restricts communication to only those hosts that have
been authenticated (what is it?). but does that setting even apply to
non-ssh functionality like ping? can someone explain what just
happened here? thanks.

rday

--

================================================== ======================
Robert P. J. Day Waterloo, Ontario, CANADA

Top-notch, inexpensive online Linux/OSS/kernel courses
http://crashcourse.ca

Twitter: http://twitter.com/rpjday
LinkedIn: http://ca.linkedin.com/in/rpjday
================================================== ======================

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-15-2010, 02:12 PM
Christopher Chan
 
Default why is iptables still filtering after i disable the firewall?

Robert P. J. Day wrote:
> On Wed, 15 Sep 2010, Christopher Chan wrote:
>
>> Robert P. J. Day wrote:
>>> i suspect this is based on my unfamiliarity with the way ubuntu
>>> pre-10.10 deals with firewalls but i'm trying to simply ping from
>>> my ubuntu system to a centos 5.5 box on the same in-house wireless
>>> network and i'm getting icmp responses, "Destination Host
>>> Unreachable." yet i can ping the other way (centos -> ubuntu).
>> I would completely uninstall 'uncomplicated firewall' and restart
>> the network. Ubuntu's complicated approach to trying to make it
>> simple for users to setup firewall rules is just broken.
>
> then what would be the incantation for disabling iptables entirely?
> i can only *guess* that this is what's causing my problem as i can't
> think of any other reason for not being able to ping out.
>

Beats me. I could not be bothered to go through the blooming scripts. I
do not have ufw anywhere on my boxes.

I just noticed that I do not have ufw in any of the runlevels except rc1
and rcS in upstart. So presumably 'update-rc.d ufw stop 39 2 3 4 5'
should do the trick.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-15-2010, 02:15 PM
Karl Auer
 
Default why is iptables still filtering after i disable the firewall?

On Wed, 2010-09-15 at 09:42 -0400, Robert P. J. Day wrote:
> then what would be the incantation for disabling iptables entirely?
> i can only *guess* that this is what's causing my problem as i can't
> think of any other reason for not being able to ping out.

You can't "disable iptables" short of rebuilding your kernel. However,
you can tell iptables to filter nothing:

sudo ip6tables -F
sudo ip6tables -X
sudo ip6tables -P INPUT ACCEPT
sudo ip6tables -P OUTPUT ACCEPT
sudo ip6tables -P FORWARD ACCEPT
sudo ip6tables -P PREROUTING ACCEPT
sudo ip6tables -P POSTROUTING ACCEPT
sudo iptables -F
sudo iptables -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P PREROUTING ACCEPT
sudo iptables -P POSTROUTING ACCEPT

-F deletes all rules from all chains
-X deletes all non-builtin chains
-P sets the policy on a chain

Ignore errors telling you "bad built-in chain name" for PREROUTING or
POSTROUTING - they may not be present.

The end result is a totally open system. See "man iptables" and "man
ip6tables" for more info.

Then check that everything is gone:

sudo ip6tables -L -n
sudo iptables -L -n

You should see output like this if ip6tables and iptables are completely
out of the way:

kauer@karl:~$ sudo ip6tables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
kauer@karl:~$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer@biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/kauer/ +61-428-957160 (mob)

GPG fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
Old fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF
--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-15-2010, 02:27 PM
Christopher Chan
 
Default why is iptables still filtering after i disable the firewall?

Karl Auer wrote:
> On Wed, 2010-09-15 at 09:42 -0400, Robert P. J. Day wrote:
>> then what would be the incantation for disabling iptables entirely?
>> i can only *guess* that this is what's causing my problem as i can't
>> think of any other reason for not being able to ping out.
>
> You can't "disable iptables" short of rebuilding your kernel. However,
> you can tell iptables to filter nothing:

I think not loading the netfilter modules would be pretty much disabling
iptables.

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-15-2010, 02:54 PM
Tom H
 
Default why is iptables still filtering after i disable the firewall?

On Wed, Sep 15, 2010 at 9:13 AM, Robert P. J. Day <rpjday@crashcourse.ca> wrote:
>
> *i suspect this is based on my unfamiliarity with the way ubuntu
> pre-10.10 deals with firewalls but i'm trying to simply ping from my
> ubuntu system to a centos 5.5 box on the same in-house wireless
> network and i'm getting icmp responses, "Destination Host
> Unreachable." *yet i can ping the other way (centos -> ubuntu).
>
> *i've completely disabled iptables on the centos system, and i want
> to do the same on ubuntu. *i installed gufw and i did what i thought
> disabled the firewall on the ubuntu box, yet when i run "sudo iptables
> -L", i'm still seeing some filtering:
>
> Chain FORWARD (policy ACCEPT)
> target * * prot opt source * * * * * * * destination
> ACCEPT * * all *-- *anywhere * * * * * * 192.168.122.0/24 * *state
> RELATED,ESTABLISHED
> ACCEPT * * all *-- *192.168.122.0/24 * * anywhere
> ACCEPT * * all *-- *anywhere * * * * * * anywhere
> REJECT * * all *-- *anywhere * * * * * * anywhere
> reject-with icmp-port-unreachable
> REJECT * * all *-- *anywhere * * * * * * anywhere
> reject-with icmp-port-unreachable
>
> and while the forwarding rules shouldn't affect this, how can i simply
> disable the firewall entirely? *if i invoke "gufw" and disable the
> firewall, shouldn't that do it?

How about "ufw reset" and/or "ufw disable"?

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-15-2010, 03:28 PM
"Robert P. J. Day"
 
Default why is iptables still filtering after i disable the firewall?

On Wed, 15 Sep 2010, Christopher Chan wrote:

> Karl Auer wrote:
> > On Wed, 2010-09-15 at 09:42 -0400, Robert P. J. Day wrote:
> >> then what would be the incantation for disabling iptables entirely?
> >> i can only *guess* that this is what's causing my problem as i can't
> >> think of any other reason for not being able to ping out.
> >
> > You can't "disable iptables" short of rebuilding your kernel. However,
> > you can tell iptables to filter nothing:
>
> I think not loading the netfilter modules would be pretty much
> disabling iptables.

i guess i'm spoiled by RH/fedora, where i just did:

# service iptables stop/start

a quick google turns up this:

http://www.cyberciti.biz/faq/linux-howto-disable-remove-firewall/

and that still appears to be the case today. it seems odd that one
can't disable iptables with a simple command in ubuntu.

rday

--

================================================== ======================
Robert P. J. Day Waterloo, Ontario, CANADA

Top-notch, inexpensive online Linux/OSS/kernel courses
http://crashcourse.ca

Twitter: http://twitter.com/rpjday
LinkedIn: http://ca.linkedin.com/in/rpjday
================================================== ======================

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-15-2010, 04:21 PM
NoOp
 
Default why is iptables still filtering after i disable the firewall?

On 09/15/2010 07:54 AM, Tom H wrote:
> On Wed, Sep 15, 2010 at 9:13 AM, Robert P. J. Day <rpjday@crashcourse.ca> wrote:
...
>> and while the forwarding rules shouldn't affect this, how can i simply
>> disable the firewall entirely? if i invoke "gufw" and disable the
>> firewall, shouldn't that do it?
>
> How about "ufw reset" and/or "ufw disable"?
>

Or '$ man ufw' :-)
http://manpages.ubuntu.com/manpages/lucid/man8/ufw.8.html
https://help.ubuntu.com/community/UFW


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 09-15-2010, 04:23 PM
"Robert P. J. Day"
 
Default why is iptables still filtering after i disable the firewall?

On Wed, 15 Sep 2010, NoOp wrote:

> On 09/15/2010 07:54 AM, Tom H wrote:
> > On Wed, Sep 15, 2010 at 9:13 AM, Robert P. J. Day <rpjday@crashcourse.ca> wrote:
> ...
> >> and while the forwarding rules shouldn't affect this, how can i simply
> >> disable the firewall entirely? if i invoke "gufw" and disable the
> >> firewall, shouldn't that do it?
> >
> > How about "ufw reset" and/or "ufw disable"?
> >
>
> Or '$ man ufw' :-)
> http://manpages.ubuntu.com/manpages/lucid/man8/ufw.8.html
> https://help.ubuntu.com/community/UFW

i *did* a "ufw disable" and still had filtering in the forwarding
chain, which i found confusing.

rday

--

================================================== ======================
Robert P. J. Day Waterloo, Ontario, CANADA

Top-notch, inexpensive online Linux/OSS/kernel courses
http://crashcourse.ca

Twitter: http://twitter.com/rpjday
LinkedIn: http://ca.linkedin.com/in/rpjday
================================================== ======================

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 06:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org