On Thu, 5 Jul 2012 22:28:43 +0800 lina <lina.lastn...@gmail.com> wrote:
> Hi, > > What is the best way to turn off the iptables? > > or come back to its default settings. Flush my current one. > This is the script I use: #!/bin/sh #/etc/iptables/iptables.flush iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT Which leaves you wide open, but that is no worse than you were a few days ago. > Since I tried to configure the iptables, I have encountered the > following problems: > > 1] I can't access the cups and some other ports I opened in localhost. > I'd go along with the others and suggest you start again, with a skeleton script and add things one at a time. Sprinkle in a fair few logging rules to help get some idea what is going on. I use logging a lot, for troubleshooting connections which don't really need a packet sniffer. Here's an outline of one of my scripts, which really ought to work as I've just lifted it from my firewall-server and removed a lot of the site-specific stuff and the more obscure aggression. You don't need any FORWARD or NAT sections in a workstation script, I've left them in in case someone else is doing a two-NIC firewall. I've defined a number of chains (many more than shown here), as a firewall-server is quite busy, and it helps to see what's happening in a large script. Think of subroutines in a program. There's also a virtual machine living in here, and an OpenVPN termination, as well as a wireless access point in the network, and there really is no choice but to be at least a bit organised. Down with spaghetti firewalling... __________________________________________________________________ #!/bin/sh # /etc/iptables/iptables.rules # IP configuration # various shell variable definitions: # LanIF, InetIF, ExtIP etc.... # all in one place to make changes easier # I hate doing search-and-replace in a large iptables script, # it's too easy to make mistakes #**************************************************** # Set default policies for built-in chains # belt and braces, as the chains do have their own terminators iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP #**************************************************** # Remove existing rules and user-defined chains iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X #************************************************ # User-defined chains #************************************************ # Log and dispose of iptables -N newnotsyn iptables -A newnotsyn -j LOG --log-level debug --log-prefix "NEW NOT SYN:" iptables -A newnotsyn -j DROP iptables -N badpacket iptables -A badpacket -j DROP #************************************************ # Built-in chains #************************************************ # filter table INPUT chain # Assorted unwanted iptables -A INPUT -m state --state INVALID -j badpacket iptables -A INPUT -p tcp ! --syn -m state --state NEW -j newnotsyn iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT # ports and protocols to accept from anywhere... iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug --log-prefix "SSH ACCEPTED:" iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT # a firewall-server will have a list of additional ports and protocols # accepted from the [hopefully trusted] machines in the LAN here iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT DIED:" iptables -A INPUT -j DROP #****************************** # filter table FORWARD chain # Assorted unwanted iptables -A FORWARD -m state --state INVALID -j badpacket iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j newnotsyn # Replies OK iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Lists of forwarding in and out permitted here, # easiest if in separate chains... iptables -A FORWARD -j LOG --log-level debug --log-prefix "FORWARD DIED:" iptables -A FORWARD -j DROP #****************************** # filter table OUTPUT chain # Assorted unwanted iptables -A OUTPUT -m state --state INVALID -j badpacket iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j newnotsyn # ports and protocols to accept here # followed by: #iptables -A OUTPUT -j LOG --log-level debug --log-prefix "OUTPUT DIED:" #iptables -A OUTPUT -j DROP # but I'm currently accepting everything going out, iptables -A OUTPUT -j ACCEPT #****************************** # nat table chains # Port/protocol forwarding into LAN #iptables -t nat -A PREROUTING -p tcp -i $InetIF -d $ExtIP --dport 1723 -j DNAT --to-destination $VPNServ:1723 #iptables -t nat -A PREROUTING -p 47 -i $InetIF -d $ExtIP -j DNAT --to-destination $VPNServ # squid transparent web proxy iptables -t nat -A PREROUTING -i $LanIF -p tcp --dport 80 -j REDIRECT --to-port 3128 # Network NAT iptables -t nat -A POSTROUTING -o $InetIF -j SNAT --to-source $ExtIP #***************************************************** echo "Firewall rules loaded" ______________________________________________________________________ It is a bit simplified, but you can add further restrictions (e.g. lo, the private address ranges, icmp etc.) once you have everything working. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120705210144.270d5...@jretrading.com