Tags Tags

What is the best way to turn off the iptables

July 05th, 2012 - 10:30 am ET by lina | Report spam
Help Create a new topic
Hi,

What is the best way to turn off the iptables?

or come back to its default settings. Flush my current one.

Since I tried to configure the iptables, I have encountered the
following problems:

1] I can't access the cups and some other ports I opened in localhost.

I comment the line 5 still not work.

# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that
doesn't use lo0
4 -A INPUT -i lo -j ACCEPT
5 #-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

2] The shutdown process in decades long. I mean it used to be fast to
shutdown, now need wait ~3 mins

BTW, how to check the time of booting and shutting down?

3] My syslog is flooding with similar information (kernel: [
436.954509] --log-prefixIN=eth0 OUTMAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC2.21.50.212
DST2.21.51.255 LENx TOS=0x00 PREC=0x00 TTL8 IDX729 PROTO=UDP
SPT7 DPT7 LENX ).

google showed me it's possible to put the log not in syslog.

4] Are there someone willing to sharing some iptables template, a bit
mature one with explaination.

Thanks with best regards,

P.S. The current one I used ( mainly adopted from
http://wiki.debian.org/iptables ), Here it is:

1 *filter
2
3 # Allow all loopback (lo0) traffic and drop all traffic to 127/8
that doesn't use lo0
4 -A INPUT -i lo -j ACCEPT
5 #-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
6
7 # Accept all established inbound connections
8 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
9
10 # Allows all outbound traffic
11 # You could modify this to only allow certain traffic
12 -A OUTPUT -j ACCEPT
13
14 # Allow HTTP and HTTPS connections from anywhere (the normal ports
for websites)
15 -A INPUT -p tcp --dport 80 -j ACCEPT
16 -A INPUT -p tcp --dport 443 -j ACCEPT
17
18 # Allow SSH connections
19 #-A INPUT -p tcp --dport 22 -j ACCEPT
20 -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
21
22 # Allow ping
23 -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
24
25 # log iptables denied calls (access via 'dmesg' command)
26 -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
denied: " --log-level warning
27
28 # Reject all other inbound - default deny unless explicitly allowed policy:
29 -A INPUT -j REJECT
30 -A FORWARD -j REJECT
31
32 COMMIT


To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CAG9cJmmxpJmj7PxNi|p1A-3qFKbQZVKUjO5AmWwugTpLRmvA@mail.gmail.com
email Follow the discussionReplies 16 repliesReplies Make a reply

Similar topics

Replies

#1 Darac Marjal
July 05th, 2012 - 11:00 am ET | Report spam

On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote:
Hi,

What is the best way to turn off the iptables?



# iptables --flush

will clear out all your iptables rules.


or come back to its default settings. Flush my current one.

Since I tried to configure the iptables, I have encountered the
following problems:



[cut]

2] The shutdown process in decades long. I mean it used to be fast to
shutdown, now need wait ~3 mins

BTW, how to check the time of booting and shutting down?



I'm not sure about shutting down, but try the bootchart2 package.
That'll profile your booting and tell you all you need to know.


3] My syslog is flooding with similar information (kernel: [
436.954509] --log-prefixIN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212
DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP
SPT=137 DPT=137 LEN=58 ).



Ah, glad to see it's not just me seeing "--log-prefix" in the logs. This
is bug #678499, I believe.


google showed me it's possible to put the log not in syslog.

4] Are there someone willing to sharing some iptables template, a bit
mature one with explaination.

Thanks with best regards,

P.S. The current one I used ( mainly adopted from
http://wiki.debian.org/iptables ), Here it is:


[cut]

Ah, looking at your firewall, I might see what your problem is with
CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or
at some other address. If you're using 127.0.0.1, then you still want
line 5 enabled; the traffic should be using the loopback device or
otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then
you need to allow access to port 631 in the same way that you have
allowed access to ports 80, 443 and 22.

Enjoy





To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/
Replies Reply to this message
#2 Mika Suomalainen
July 05th, 2012 - 11:10 am ET | Report spam
Hash: SHA1

Hi,

On 05.07.2012 17:28, lina wrote:
Hi,

What is the best way to turn off the iptables?



I think that iptables cannot be turned off.

or come back to its default settings. Flush my current one.



iptables --flush
removes all rules in all chains. This might be dangerous, but if
something bad happens, rebooting should fix it. If you didn't try
rebooting yet, I suggest you to try it just in case.

Since I tried to configure the iptables, I have encountered the
following problems:


<...>
4] Are there someone willing to sharing some iptables template, a
bit mature one with explaination.



I use ufw, which is iptables frontend. If I want to allow access to
for example port 22, I just run "ufw allow 22", which allows access to
both TCP and UDP port 22. It's also possible to limit that allowing
access to TCP or UDP port with for example "ufw allows 22/tcp".

If you are interested, see https://help.ubuntu.com/community/UFW *
*= Yes, I know that that is Ubuntu guide, but same commands work with
Debian after you install package ufw.



Thanks with best regards,


<...>


Mika Suomalainen

NOTICE! I am on mobile broadband with very limited time, so I cannot
read emails very much.
The best time to contact me is probably weekends when I have better
connectivity with good luck.


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/
Replies Reply to this message
#3 lina
July 05th, 2012 - 11:10 am ET | Report spam
On Thu, Jul 5, 2012 at 10:50 PM, Darac Marjal wrote:
On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote:
Hi,

What is the best way to turn off the iptables?



# iptables --flush



I tried before.

# iptables -F
# iptables -L

Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Seems It dropped all. I even can't connect to the internet.

Where can I change the default?


will clear out all your iptables rules.


or come back to its default settings. Flush my current one.

Since I tried to configure the iptables, I have encountered the
following problems:



[cut]

2] The shutdown process in decades long. I mean it used to be fast to
shutdown, now need wait ~3 mins

BTW, how to check the time of booting and shutting down?



I'm not sure about shutting down, but try the bootchart2 package.
That'll profile your booting and tell you all you need to know.


3] My syslog is flooding with similar information (kernel: [
436.954509] --log-prefixIN=eth0 OUT>> MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC2.21.50.212
DST2.21.51.255 LENx TOS=0x00 PREC=0x00 TTL8 IDX729 PROTO=UDP
SPT7 DPT7 LENX ).



Ah, glad to see it's not just me seeing "--log-prefix" in the logs. This
is bug #678499, I believe.


google showed me it's possible to put the log not in syslog.

4] Are there someone willing to sharing some iptables template, a bit
mature one with explaination.

Thanks with best regards,

P.S. The current one I used ( mainly adopted from
http://wiki.debian.org/iptables ), Here it is:


[cut]

Ah, looking at your firewall, I might see what your problem is with
CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or
at some other address. If you're using 127.0.0.1, then you still want
line 5 enabled; the traffic should be using the loopback device or
otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then
you need to allow access to port 631 in the same way that you have
allowed access to ports 80, 443 and 22.



# more iptables.up.rules

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix --log-prefix
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT

Still not work for CUPS or some other ports I opened.

I found those information I googled most are quite old.


Enjoy



Thanks,






To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/CAG9cJm=NNu...6jE4Ttmwp+
Replies Reply to this message
#4 lina
July 05th, 2012 - 11:10 am ET | Report spam
On Thu, Jul 5, 2012 at 11:02 PM, Mika Suomalainen
wrote:
Hash: SHA1

Hi,

On 05.07.2012 17:28, lina wrote:
Hi,

What is the best way to turn off the iptables?



I think that iptables cannot be turned off.

or come back to its default settings. Flush my current one.



iptables --flush
removes all rules in all chains. This might be dangerous, but if
something bad happens, rebooting should fix it. If you didn't try
rebooting yet, I suggest you to try it just in case.



Seems the iptables settings works immediately, no need reboot.
I guess I read online hours ago about its process is "embedded" in
kernel. (sorry, embedded is not the original description, just my
"composed" understanding.)



<...>
4] Are there someone willing to sharing some iptables template, a
bit mature one with explaination.



I use ufw, which is iptables frontend. If I want to allow access to
for example port 22, I just run "ufw allow 22", which allows access to
both TCP and UDP port 22. It's also possible to limit that allowing
access to TCP or UDP port with for example "ufw allows 22/tcp".



I installed the ufw hours ago, I can't remember which reason made me purge it.
I will re-consider it.

Thanks again,

If you are interested, see https://help.ubuntu.com/community/UFW *
*= Yes, I know that that is Ubuntu guide, but same commands work with
Debian after you install package ufw.



Thanks with best regards,


<...>


Mika Suomalainen

NOTICE! I am on mobile broadband with very limited time, so I cannot
read emails very much.
The best time to contact me is probably weekends when I have better
connectivity with good luck.


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/





To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/
Replies Reply to this message
#5 Brian
July 05th, 2012 - 12:40 pm ET | Report spam
On Thu 05 Jul 2012 at 23:02:19 +0800, lina wrote:

Chain INPUT (policy DROP)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Seems It dropped all. I even can't connect to the internet.



You've been playing with ufw, haven't you? Purge it to get a sane policy.


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/
Replies Reply to this message
Help Create a new topicNext page Replies Make a reply
Search Make your own search