Re: What is the best way to turn off the iptables
On Fri, Jul 6, 2012 at 4:01 AM, Joe j...@jretrading.com wrote: On Thu, 5 Jul 2012 22:28:43 +0800 lina lina.lastn...@gmail.com wrote: Hi, What is the best way to turn off the iptables? or come back to its default settings. Flush my current one. This is the script I use: #!/bin/sh #/etc/iptables/iptables.flush iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT Which leaves you wide open, but that is no worse than you were a few days ago. I follow above advice, :/etc/iptables# more iptables.flush #!/bin/bash # /etc/iptables/iptables.flush IPT=/sbin/iptables $IPT -t filter -F $IPT -t filter -X $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT Now the # iptables -L -vn Chain INPUT (policy ACCEPT 9051 packets, 902K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1234 packets, 133K bytes) pkts bytes target prot opt in out source destination I still can't open the localhost ports. Strange? Thanks, Since I tried to configure the iptables, I have encountered the following problems: 1] I can't access the cups and some other ports I opened in localhost. I'd go along with the others and suggest you start again, with a skeleton script and add things one at a time. Sprinkle in a fair few logging rules to help get some idea what is going on. I use logging a lot, for troubleshooting connections which don't really need a packet sniffer. Here's an outline of one of my scripts, which really ought to work as I've just lifted it from my firewall-server and removed a lot of the site-specific stuff and the more obscure aggression. You don't need any FORWARD or NAT sections in a workstation script, I've left them in in case someone else is doing a two-NIC firewall. I've defined a number of chains (many more than shown here), as a firewall-server is quite busy, and it helps to see what's happening in a large script. Think of subroutines in a program. There's also a virtual machine living in here, and an OpenVPN termination, as well as a wireless access point in the network, and there really is no choice but to be at least a bit organised. Down with spaghetti firewalling... __ #!/bin/sh # /etc/iptables/iptables.rules # IP configuration # various shell variable definitions: # LanIF, InetIF, ExtIP etc # all in one place to make changes easier # I hate doing search-and-replace in a large iptables script, # it's too easy to make mistakes # # Set default policies for built-in chains # belt and braces, as the chains do have their own terminators iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # # Remove existing rules and user-defined chains iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # # User-defined chains # # Log and dispose of iptables -N newnotsyn iptables -A newnotsyn -j LOG --log-level debug --log-prefix NEW NOT SYN: iptables -A newnotsyn -j DROP iptables -N badpacket iptables -A badpacket -j DROP # # Built-in chains # # filter table INPUT chain # Assorted unwanted iptables -A INPUT -m state --state INVALID -j badpacket iptables -A INPUT -p tcp ! --syn -m state --state NEW -j newnotsyn iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT # ports and protocols to accept from anywhere... iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug --log-prefix SSH ACCEPTED: iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT # a firewall-server will have a list of additional ports and protocols # accepted from the [hopefully trusted] machines in the LAN here iptables -A INPUT -j LOG --log-level debug --log-prefix INPUT DIED: iptables -A INPUT -j DROP #** # filter table FORWARD chain # Assorted unwanted iptables -A FORWARD -m state --state INVALID -j badpacket iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j newnotsyn # Replies OK iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Lists of forwarding in and out permitted here, # easiest if in separate chains... iptables -A FORWARD -j LOG --log-level debug --log-prefix FORWARD DIED: iptables -A
Re: What is the best way to turn off the iptables
Le Fri, 6 Jul 2012 15:31:22 +0800, lina lina.lastn...@gmail.com a écrit : On Fri, Jul 6, 2012 at 4:01 AM, Joe j...@jretrading.com wrote: On Thu, 5 Jul 2012 22:28:43 +0800 lina lina.lastn...@gmail.com wrote: Hi, What is the best way to turn off the iptables? or come back to its default settings. Flush my current one. This is the script I use: #!/bin/sh #/etc/iptables/iptables.flush iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT Which leaves you wide open, but that is no worse than you were a few days ago. I follow above advice, :/etc/iptables# more iptables.flush #!/bin/bash # /etc/iptables/iptables.flush IPT=/sbin/iptables $IPT -t filter -F $IPT -t filter -X $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT Now the # iptables -L -vn Chain INPUT (policy ACCEPT 9051 packets, 902K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1234 packets, 133K bytes) pkts bytes target prot opt in out source destination I still can't open the localhost ports. Strange? Thanks, Since I tried to configure the iptables, I have encountered the following problems: 1] I can't access the cups and some other ports I opened in localhost. I'd go along with the others and suggest you start again, with a skeleton script and add things one at a time. Sprinkle in a fair few logging rules to help get some idea what is going on. I use logging a lot, for troubleshooting connections which don't really need a packet sniffer. Here's an outline of one of my scripts, which really ought to work as I've just lifted it from my firewall-server and removed a lot of the site-specific stuff and the more obscure aggression. You don't need any FORWARD or NAT sections in a workstation script, I've left them in in case someone else is doing a two-NIC firewall. I've defined a number of chains (many more than shown here), as a firewall-server is quite busy, and it helps to see what's happening in a large script. Think of subroutines in a program. There's also a virtual machine living in here, and an OpenVPN termination, as well as a wireless access point in the network, and there really is no choice but to be at least a bit organised. Down with spaghetti firewalling... __ #!/bin/sh # /etc/iptables/iptables.rules # IP configuration # various shell variable definitions: # LanIF, InetIF, ExtIP etc # all in one place to make changes easier # I hate doing search-and-replace in a large iptables script, # it's too easy to make mistakes # # Set default policies for built-in chains # belt and braces, as the chains do have their own terminators iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # # Remove existing rules and user-defined chains iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # # User-defined chains # # Log and dispose of iptables -N newnotsyn iptables -A newnotsyn -j LOG --log-level debug --log-prefix NEW NOT SYN: iptables -A newnotsyn -j DROP iptables -N badpacket iptables -A badpacket -j DROP # # Built-in chains # # filter table INPUT chain # Assorted unwanted iptables -A INPUT -m state --state INVALID -j badpacket iptables -A INPUT -p tcp ! --syn -m state --state NEW -j newnotsyn iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT # ports and protocols to accept from anywhere... iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug --log-prefix SSH ACCEPTED: iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT # a firewall-server will have a list of additional ports and protocols # accepted from the [hopefully trusted] machines in the LAN here iptables -A INPUT -j LOG --log-level debug --log-prefix INPUT DIED: iptables -A INPUT -j DROP #** # filter table FORWARD chain # Assorted unwanted iptables -A FORWARD -m state --state INVALID -j badpacket iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j newnotsyn # Replies
Re: What is the best way to turn off the iptables
Maybe nobody is listening to that ports? What does netstat -plunt returns you? # nc -l -p 5000 # netstat -plunt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 21635/sshd tcp0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1871/cupsd tcp0 0 127.0.0.1:250.0.0.0:* LISTEN 2250/exim4 tcp0 0 0.0.0.0:50000.0.0.0:* LISTEN 5484/nc tcp0 0 0.0.0.0:94180.0.0.0:* LISTEN 3335/git-daemon tcp6 0 0 :::80 :::* LISTEN 1704/apache2 tcp6 0 0 :::22 :::* LISTEN 21635/sshd tcp6 0 0 :::9418 :::* LISTEN 3335/git-daemon udp0 0 0.0.0.0:24456 0.0.0.0:* 21574/dhclient udp0 0 0.0.0.0:68 0.0.0.0:* 21574/dhclient udp0 0 172.21.48.102:123 0.0.0.0:* 2677/ntpd udp0 0 0.0.0.0:123 0.0.0.0:* 2677/ntpd udp6 0 0 :::3832 :::* 21574/dhclient udp6 0 0 fe80::ca2a:14ff:fe0:123 :::* 2677/ntpd udp6 0 0 :::123 :::* 2677/ntpd -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120706103414.3517b...@bruno.vf-online.local -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cag9cjmm841um06ys_tz3h2vh6dd5c4l1xofpkmnmws0hckn...@mail.gmail.com
Re: What is the best way to turn off the iptables
07/05/12 19:02, lina пишет: On Thu, Jul 5, 2012 at 10:50 PM, Darac Marjal mailingl...@darac.org.uk wrote: On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote: Hi, What is the best way to turn off the iptables? # iptables --flush I tried before. # iptables -F # iptables -L Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Seems It dropped all. I even can't connect to the internet. Where can I change the default? iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT will clear out all your iptables rules. or come back to its default settings. Flush my current one. Since I tried to configure the iptables, I have encountered the following problems: [cut] 2] The shutdown process in decades long. I mean it used to be fast to shutdown, now need wait ~3 mins BTW, how to check the time of booting and shutting down? I'm not sure about shutting down, but try the bootchart2 package. That'll profile your booting and tell you all you need to know. 3] My syslog is flooding with similar information (kernel: [ 436.954509] --log-prefixIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212 DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP SPT=137 DPT=137 LEN=58 ). Ah, glad to see it's not just me seeing --log-prefix in the logs. This is bug #678499, I believe. google showed me it's possible to put the log not in syslog. 4] Are there someone willing to sharing some iptables template, a bit mature one with explaination. Thanks with best regards, P.S. The current one I used ( mainly adopted from http://wiki.debian.org/iptables ), Here it is: [cut] Ah, looking at your firewall, I might see what your problem is with CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or at some other address. If you're using 127.0.0.1, then you still want line 5 enabled; the traffic should be using the loopback device or otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then you need to allow access to port 631 in the same way that you have allowed access to ports 80, 443 and 22. # more iptables.up.rules *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix --log-prefix -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j ACCEPT COMMIT Still not work for CUPS or some other ports I opened. I found those information I googled most are quite old. Enjoy Thanks, -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCgAGBQJP9am3AAoJEKB7YbRsd8TGiEUQAKSVOdm2BiavXlGTMz0xait9 g/WFxkEU1/cRORGusyN30LaShWY3WJqNoTSvpCzHA3w1UO9xwnYVFQ8RhRt3dF5K OLFrRkuAel9BKd8Xr4Uz0J4sOuBpOBne6PcLDCxVnT1xgEdktuuLhlvF1IGfw+Kq ECLeKffGnItRp9hgp6UkUKM8rqURfrWsUzG5LXsLT6c+4/I6ZruhINEo7NSx3TtY ANAFZ2Q0auUKEhXmcqZq+ay7u+d/Qb8DMzlmr752h5iCx5TaTSsyZFgjQJWWHqFp hJxNbxbkz5MlPgyZuM9U7Acj9dSDZt1AFAxxtMObjbbLXNkbkRhbJDojZeYHZPFf psq+YmC805tlD1+WmvOVXXQSrcJht7JWPoQQ2k7gaj2Jl8LMb8nL3gyg0nRz+lzR dUvbH/i1Sh25gL5RD4JefcLd3wfJB/+M0+QOdeGx7VDyDRy8JUjFAq+Bmg0ZVb9j RU8AiUKxCRciy2WZ0RrXx7M7yXqaktLnl9lSYx55bwx4UDslBPvP5jVe8zFRlhy3 yuxQoroXZkMyvPPxGmVyQrGJNHckDUulu4PpicWzUvSiF29DuBfnXBF+M+0HEERw PSeAre4Jvml1syPUPaBdwaReD6JnQj8E44d/EF1WlIItq36xxOUG2b9cVSTZAU+v H3tarqTQH8EPJNVoyZPm =4rOs -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff6c3a8.20...@gmail.com
Re: What is the best way to turn off the iptables
Sorry for replying directly but I think you may want to read this. You have: Chain INPUT (policy DROP) This should be ACCEPT instead of DROP. Try: iptables -P INPUT ACCEPT Then do the same for the FORWARD chain (if you want to get a vanilla configuration) On 05/07/2012 06:02 μμ, lina wrote: On Thu, Jul 5, 2012 at 10:50 PM, Darac Marjal mailingl...@darac.org.uk wrote: On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote: Hi, What is the best way to turn off the iptables? # iptables --flush I tried before. # iptables -F # iptables -L Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Seems It dropped all. I even can't connect to the internet. Where can I change the default? will clear out all your iptables rules. or come back to its default settings. Flush my current one. Since I tried to configure the iptables, I have encountered the following problems: [cut] 2] The shutdown process in decades long. I mean it used to be fast to shutdown, now need wait ~3 mins BTW, how to check the time of booting and shutting down? I'm not sure about shutting down, but try the bootchart2 package. That'll profile your booting and tell you all you need to know. 3] My syslog is flooding with similar information (kernel: [ 436.954509] --log-prefixIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212 DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP SPT=137 DPT=137 LEN=58 ). Ah, glad to see it's not just me seeing --log-prefix in the logs. This is bug #678499, I believe. google showed me it's possible to put the log not in syslog. 4] Are there someone willing to sharing some iptables template, a bit mature one with explaination. Thanks with best regards, P.S. The current one I used ( mainly adopted from http://wiki.debian.org/iptables ), Here it is: [cut] Ah, looking at your firewall, I might see what your problem is with CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or at some other address. If you're using 127.0.0.1, then you still want line 5 enabled; the traffic should be using the loopback device or otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then you need to allow access to port 631 in the same way that you have allowed access to ports 80, 443 and 22. # more iptables.up.rules *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix --log-prefix -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j ACCEPT COMMIT Still not work for CUPS or some other ports I opened. I found those information I googled most are quite old. Enjoy Thanks, -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCgAGBQJP9am3AAoJEKB7YbRsd8TGiEUQAKSVOdm2BiavXlGTMz0xait9 g/WFxkEU1/cRORGusyN30LaShWY3WJqNoTSvpCzHA3w1UO9xwnYVFQ8RhRt3dF5K OLFrRkuAel9BKd8Xr4Uz0J4sOuBpOBne6PcLDCxVnT1xgEdktuuLhlvF1IGfw+Kq ECLeKffGnItRp9hgp6UkUKM8rqURfrWsUzG5LXsLT6c+4/I6ZruhINEo7NSx3TtY ANAFZ2Q0auUKEhXmcqZq+ay7u+d/Qb8DMzlmr752h5iCx5TaTSsyZFgjQJWWHqFp hJxNbxbkz5MlPgyZuM9U7Acj9dSDZt1AFAxxtMObjbbLXNkbkRhbJDojZeYHZPFf psq+YmC805tlD1+WmvOVXXQSrcJht7JWPoQQ2k7gaj2Jl8LMb8nL3gyg0nRz+lzR dUvbH/i1Sh25gL5RD4JefcLd3wfJB/+M0+QOdeGx7VDyDRy8JUjFAq+Bmg0ZVb9j RU8AiUKxCRciy2WZ0RrXx7M7yXqaktLnl9lSYx55bwx4UDslBPvP5jVe8zFRlhy3 yuxQoroXZkMyvPPxGmVyQrGJNHckDUulu4PpicWzUvSiF29DuBfnXBF+M+0HEERw PSeAre4Jvml1syPUPaBdwaReD6JnQj8E44d/EF1WlIItq36xxOUG2b9cVSTZAU+v H3tarqTQH8EPJNVoyZPm =4rOs -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff6f314.9020...@gmail.com
Re: What is the best way to turn off the iptables
On Fri, Jul 6, 2012 at 10:15 PM, Panayiotis Karabassis pan...@gmail.com wrote: Sorry for replying directly but I think you may want to read this. No need sorry, very nice to have replies. You have: Chain INPUT (policy DROP) This should be ACCEPT instead of DROP. Try: iptables -P INPUT ACCEPT Then do the same for the FORWARD chain (if you want to get a vanilla configuration) Regarding failed to open the port like cups problem, one main reason was that, The iface lo inet loopback was commented out before in my /etc/network/interfaces. My poor knowledge really messed up lots of things. Thanks again for all the suggestions, it opened many windows for me. With all the best regards, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cag9cjmm1hbpeqrvbhmbha3jk3z8op+0apa2asayjtq33wn_...@mail.gmail.com
Re: What is the best way to turn off the iptables
On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote: Hi, What is the best way to turn off the iptables? # iptables --flush will clear out all your iptables rules. or come back to its default settings. Flush my current one. Since I tried to configure the iptables, I have encountered the following problems: [cut] 2] The shutdown process in decades long. I mean it used to be fast to shutdown, now need wait ~3 mins BTW, how to check the time of booting and shutting down? I'm not sure about shutting down, but try the bootchart2 package. That'll profile your booting and tell you all you need to know. 3] My syslog is flooding with similar information (kernel: [ 436.954509] --log-prefixIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212 DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP SPT=137 DPT=137 LEN=58 ). Ah, glad to see it's not just me seeing --log-prefix in the logs. This is bug #678499, I believe. google showed me it's possible to put the log not in syslog. 4] Are there someone willing to sharing some iptables template, a bit mature one with explaination. Thanks with best regards, P.S. The current one I used ( mainly adopted from http://wiki.debian.org/iptables ), Here it is: [cut] Ah, looking at your firewall, I might see what your problem is with CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or at some other address. If you're using 127.0.0.1, then you still want line 5 enabled; the traffic should be using the loopback device or otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then you need to allow access to port 631 in the same way that you have allowed access to ports 80, 443 and 22. Enjoy signature.asc Description: Digital signature
Re: What is the best way to turn off the iptables
On Thu, Jul 5, 2012 at 10:50 PM, Darac Marjal mailingl...@darac.org.uk wrote: On Thu, Jul 05, 2012 at 10:28:43PM +0800, lina wrote: Hi, What is the best way to turn off the iptables? # iptables --flush I tried before. # iptables -F # iptables -L Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Seems It dropped all. I even can't connect to the internet. Where can I change the default? will clear out all your iptables rules. or come back to its default settings. Flush my current one. Since I tried to configure the iptables, I have encountered the following problems: [cut] 2] The shutdown process in decades long. I mean it used to be fast to shutdown, now need wait ~3 mins BTW, how to check the time of booting and shutting down? I'm not sure about shutting down, but try the bootchart2 package. That'll profile your booting and tell you all you need to know. 3] My syslog is flooding with similar information (kernel: [ 436.954509] --log-prefixIN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:30:67:08:28:b3:08:00 SRC=172.21.50.212 DST=172.21.51.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=58729 PROTO=UDP SPT=137 DPT=137 LEN=58 ). Ah, glad to see it's not just me seeing --log-prefix in the logs. This is bug #678499, I believe. google showed me it's possible to put the log not in syslog. 4] Are there someone willing to sharing some iptables template, a bit mature one with explaination. Thanks with best regards, P.S. The current one I used ( mainly adopted from http://wiki.debian.org/iptables ), Here it is: [cut] Ah, looking at your firewall, I might see what your problem is with CUPS. You probably access CUPS one of two ways: either at 127.0.0.1 or at some other address. If you're using 127.0.0.1, then you still want line 5 enabled; the traffic should be using the loopback device or otherwise your routing is a bit odd. If you're NOT using 127.0.0.1, then you need to allow access to port 631 in the same way that you have allowed access to ports 80, 443 and 22. # more iptables.up.rules *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix --log-prefix -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j ACCEPT COMMIT Still not work for CUPS or some other ports I opened. I found those information I googled most are quite old. Enjoy Thanks, -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCgAGBQJP9am3AAoJEKB7YbRsd8TGiEUQAKSVOdm2BiavXlGTMz0xait9 g/WFxkEU1/cRORGusyN30LaShWY3WJqNoTSvpCzHA3w1UO9xwnYVFQ8RhRt3dF5K OLFrRkuAel9BKd8Xr4Uz0J4sOuBpOBne6PcLDCxVnT1xgEdktuuLhlvF1IGfw+Kq ECLeKffGnItRp9hgp6UkUKM8rqURfrWsUzG5LXsLT6c+4/I6ZruhINEo7NSx3TtY ANAFZ2Q0auUKEhXmcqZq+ay7u+d/Qb8DMzlmr752h5iCx5TaTSsyZFgjQJWWHqFp hJxNbxbkz5MlPgyZuM9U7Acj9dSDZt1AFAxxtMObjbbLXNkbkRhbJDojZeYHZPFf psq+YmC805tlD1+WmvOVXXQSrcJht7JWPoQQ2k7gaj2Jl8LMb8nL3gyg0nRz+lzR dUvbH/i1Sh25gL5RD4JefcLd3wfJB/+M0+QOdeGx7VDyDRy8JUjFAq+Bmg0ZVb9j RU8AiUKxCRciy2WZ0RrXx7M7yXqaktLnl9lSYx55bwx4UDslBPvP5jVe8zFRlhy3 yuxQoroXZkMyvPPxGmVyQrGJNHckDUulu4PpicWzUvSiF29DuBfnXBF+M+0HEERw PSeAre4Jvml1syPUPaBdwaReD6JnQj8E44d/EF1WlIItq36xxOUG2b9cVSTZAU+v H3tarqTQH8EPJNVoyZPm =4rOs -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAG9cJm=nnugplb0jja8kzrqne6je4ttmwp+yylheptfdrhw...@mail.gmail.com
Re: What is the best way to turn off the iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 05.07.2012 17:28, lina wrote: Hi, What is the best way to turn off the iptables? I think that iptables cannot be turned off. or come back to its default settings. Flush my current one. iptables --flush removes all rules in all chains. This might be dangerous, but if something bad happens, rebooting should fix it. If you didn't try rebooting yet, I suggest you to try it just in case. Since I tried to configure the iptables, I have encountered the following problems: ... 4] Are there someone willing to sharing some iptables template, a bit mature one with explaination. I use ufw, which is iptables frontend. If I want to allow access to for example port 22, I just run ufw allow 22, which allows access to both TCP and UDP port 22. It's also possible to limit that allowing access to TCP or UDP port with for example ufw allows 22/tcp. If you are interested, see https://help.ubuntu.com/community/UFW * *= Yes, I know that that is Ubuntu guide, but same commands work with Debian after you install package ufw. Thanks with best regards, ... - -- Mika Suomalainen NOTICE! I am on mobile broadband with very limited time, so I cannot read emails very much. The best time to contact me is probably weekends when I have better connectivity with good luck. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: Why do I (clear)sign emails? http://git.io/6FLzWg Comment: Please send plaintext instead of HTML. http://git.io/TAc0cg Comment: Please don't toppost. http://git.io/7-VB3g Comment: Charset of this message should be UTF-8. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP9aydAAoJEE21PP6CpGcoyfIP/1/NYBRKW5jaPitmWz8COnF6 EBAsOxtLpjrm9UenAjuOyE6nIz52WDtSHieylJjpQEqKIumwmsPpFOy2QNR0YmAo kThuAN+xALfQsHz0HbpOtgaKMOzDEN9GJT3T1vgZSEgzbKllwtLt3HahRzF+MN6R 6Hsy/msiSPj6Jpw+Z3LTLM1cZsJF5ZPJVGD3Do1s84tq6tuJwg2sdJWi0zSnWEd3 c2zOnWWVo3A2r4vklJxJiEiQkeMAxYLyaJCOXtTmeKOOggFoCpRUydX8uUVLIAC7 gi99JPkIHQelh1pcc0Qmk3/TpInazIH+BoAOGuyBxeT9K3Zois2IfoiW34aFdoWs eG77ubjnr+f4x8TJiwzI1lGwAjPqyxnvPtOGv8kP3qaOinlvcvbaU3or5hEdwA25 1pfjfcmKEjKOldjtUcj0Gj14k/84EUde+NGegJZe0M/YgVwFwrfSwdbloh3m0gbN Jss4j9vPF/sqIs4ODc3iuLH2rLyj7JqurhaXa/wbRaLptSelTxj2b7pP7t7QZKGw UqjcX3iM6wzWnU3ZJiIbJvWyVHqcHbnToGBVfuOh5l2eI2WynXtPsggcj4Ih8huK ba31diAAQZuOLE3p1AujetFHBt2IxiDMMIbFz0eOtfiSK2jrqKELjEpJXNfo/zco Gi9E+Nic5vpIPplpR6oI =lS1/ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff5ac9f.7020...@hotmail.com
Re: What is the best way to turn off the iptables
On Thu, Jul 5, 2012 at 11:02 PM, Mika Suomalainen mika.henrik.mai...@hotmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On 05.07.2012 17:28, lina wrote: Hi, What is the best way to turn off the iptables? I think that iptables cannot be turned off. or come back to its default settings. Flush my current one. iptables --flush removes all rules in all chains. This might be dangerous, but if something bad happens, rebooting should fix it. If you didn't try rebooting yet, I suggest you to try it just in case. Seems the iptables settings works immediately, no need reboot. I guess I read online hours ago about its process is embedded in kernel. (sorry, embedded is not the original description, just my composed understanding.) ... 4] Are there someone willing to sharing some iptables template, a bit mature one with explaination. I use ufw, which is iptables frontend. If I want to allow access to for example port 22, I just run ufw allow 22, which allows access to both TCP and UDP port 22. It's also possible to limit that allowing access to TCP or UDP port with for example ufw allows 22/tcp. I installed the ufw hours ago, I can't remember which reason made me purge it. I will re-consider it. Thanks again, If you are interested, see https://help.ubuntu.com/community/UFW * *= Yes, I know that that is Ubuntu guide, but same commands work with Debian after you install package ufw. Thanks with best regards, ... - -- Mika Suomalainen NOTICE! I am on mobile broadband with very limited time, so I cannot read emails very much. The best time to contact me is probably weekends when I have better connectivity with good luck. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Homepage: http://mkaysi.github.com/ Comment: gpg --keyserver pool.sks-keyservers.net --recv-keys 82A46728 Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: Why do I (clear)sign emails? http://git.io/6FLzWg Comment: Please send plaintext instead of HTML. http://git.io/TAc0cg Comment: Please don't toppost. http://git.io/7-VB3g Comment: Charset of this message should be UTF-8. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP9aydAAoJEE21PP6CpGcoyfIP/1/NYBRKW5jaPitmWz8COnF6 EBAsOxtLpjrm9UenAjuOyE6nIz52WDtSHieylJjpQEqKIumwmsPpFOy2QNR0YmAo kThuAN+xALfQsHz0HbpOtgaKMOzDEN9GJT3T1vgZSEgzbKllwtLt3HahRzF+MN6R 6Hsy/msiSPj6Jpw+Z3LTLM1cZsJF5ZPJVGD3Do1s84tq6tuJwg2sdJWi0zSnWEd3 c2zOnWWVo3A2r4vklJxJiEiQkeMAxYLyaJCOXtTmeKOOggFoCpRUydX8uUVLIAC7 gi99JPkIHQelh1pcc0Qmk3/TpInazIH+BoAOGuyBxeT9K3Zois2IfoiW34aFdoWs eG77ubjnr+f4x8TJiwzI1lGwAjPqyxnvPtOGv8kP3qaOinlvcvbaU3or5hEdwA25 1pfjfcmKEjKOldjtUcj0Gj14k/84EUde+NGegJZe0M/YgVwFwrfSwdbloh3m0gbN Jss4j9vPF/sqIs4ODc3iuLH2rLyj7JqurhaXa/wbRaLptSelTxj2b7pP7t7QZKGw UqjcX3iM6wzWnU3ZJiIbJvWyVHqcHbnToGBVfuOh5l2eI2WynXtPsggcj4Ih8huK ba31diAAQZuOLE3p1AujetFHBt2IxiDMMIbFz0eOtfiSK2jrqKELjEpJXNfo/zco Gi9E+Nic5vpIPplpR6oI =lS1/ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff5ac9f.7020...@hotmail.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cag9cjmnous_2em71vynkw9w2_vygq4u4jajow_hg-_sqioq...@mail.gmail.com
Re: What is the best way to turn off the iptables
On Thu 05 Jul 2012 at 22:28:43 +0800, lina wrote: Hi, What is the best way to turn off the iptables? or come back to its default settings. Flush my current one. Depends on what rules you have set up. iptables -F and iptables -X should do it for you. 4] Are there someone willing to sharing some iptables template, a bit mature one with explaination. There might be but you do not really want to use someone else's rules. Have you given any thought as to what you want to achieve, apart from some hazy (and probably mistaken) idea that you might be safer? As far I can see you have a couple of services running. Services are meant to be accessed but restrictions on access can generally be set in their configuration files. Try defining and saying exactly what it is you want netfilter/iptables to do for you. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120705163337.GE28931@desktop
Re: What is the best way to turn off the iptables
On Thu 05 Jul 2012 at 23:02:19 +0800, lina wrote: Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Seems It dropped all. I even can't connect to the internet. You've been playing with ufw, haven't you? Purge it to get a sane policy. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120705163651.GF28931@desktop
Re: What is the best way to turn off the iptables
On Thu, Jul 5, 2012 at 10:06 PM, Brian a...@cityscape.co.uk wrote: On Thu 05 Jul 2012 at 23:02:19 +0800, lina wrote: Chain INPUT (policy DROP) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Seems It dropped all. I even can't connect to the internet. You've been playing with ufw, haven't you? Purge it to get a sane policy. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120705163651.GF28931@desktop You could always flush/remove all the rules. But my suggestion is to understand why it is blocking you. You could do that by iptables -L -vn this prints the packets stats against each rule. Another handy tool is netcat. Combining both of these you could easily debug iptables scenario. For example to see your loopback scenario do the following in two shells shell1: nc -l -p 5000 # listen on port 5000 shell2: echo 'hello' | nc 127.0.0.1 5000 #send something to loopback port 5000 The message should be printed on shell1 and if you type something on shell1 it should come back to shell2 also. If it is coming or not, analyze the packet stats, see it is increased against which rule. -- http://saurorja.org Twitter: @anand_sivaram
Re: What is the best way to turn off the iptables
On Thu, 5 Jul 2012 22:28:43 +0800 lina lina.lastn...@gmail.com wrote: Hi, What is the best way to turn off the iptables? or come back to its default settings. Flush my current one. This is the script I use: #!/bin/sh #/etc/iptables/iptables.flush iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT Which leaves you wide open, but that is no worse than you were a few days ago. Since I tried to configure the iptables, I have encountered the following problems: 1] I can't access the cups and some other ports I opened in localhost. I'd go along with the others and suggest you start again, with a skeleton script and add things one at a time. Sprinkle in a fair few logging rules to help get some idea what is going on. I use logging a lot, for troubleshooting connections which don't really need a packet sniffer. Here's an outline of one of my scripts, which really ought to work as I've just lifted it from my firewall-server and removed a lot of the site-specific stuff and the more obscure aggression. You don't need any FORWARD or NAT sections in a workstation script, I've left them in in case someone else is doing a two-NIC firewall. I've defined a number of chains (many more than shown here), as a firewall-server is quite busy, and it helps to see what's happening in a large script. Think of subroutines in a program. There's also a virtual machine living in here, and an OpenVPN termination, as well as a wireless access point in the network, and there really is no choice but to be at least a bit organised. Down with spaghetti firewalling... __ #!/bin/sh # /etc/iptables/iptables.rules # IP configuration # various shell variable definitions: # LanIF, InetIF, ExtIP etc # all in one place to make changes easier # I hate doing search-and-replace in a large iptables script, # it's too easy to make mistakes # # Set default policies for built-in chains # belt and braces, as the chains do have their own terminators iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # # Remove existing rules and user-defined chains iptables -t filter -F iptables -t filter -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # # User-defined chains # # Log and dispose of iptables -N newnotsyn iptables -A newnotsyn -j LOG --log-level debug --log-prefix NEW NOT SYN: iptables -A newnotsyn -j DROP iptables -N badpacket iptables -A badpacket -j DROP # # Built-in chains # # filter table INPUT chain # Assorted unwanted iptables -A INPUT -m state --state INVALID -j badpacket iptables -A INPUT -p tcp ! --syn -m state --state NEW -j newnotsyn iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT # ports and protocols to accept from anywhere... iptables -A INPUT -p tcp --dport 22 -j LOG --log-level debug --log-prefix SSH ACCEPTED: iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --dport 25 -j ACCEPT # a firewall-server will have a list of additional ports and protocols # accepted from the [hopefully trusted] machines in the LAN here iptables -A INPUT -j LOG --log-level debug --log-prefix INPUT DIED: iptables -A INPUT -j DROP #** # filter table FORWARD chain # Assorted unwanted iptables -A FORWARD -m state --state INVALID -j badpacket iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j newnotsyn # Replies OK iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Lists of forwarding in and out permitted here, # easiest if in separate chains... iptables -A FORWARD -j LOG --log-level debug --log-prefix FORWARD DIED: iptables -A FORWARD -j DROP #** # filter table OUTPUT chain # Assorted unwanted iptables -A OUTPUT -m state --state INVALID -j badpacket iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j newnotsyn # ports and protocols to accept here # followed by: #iptables -A OUTPUT -j LOG --log-level debug --log-prefix OUTPUT DIED: #iptables -A OUTPUT -j DROP # but I'm currently accepting everything going out, iptables -A OUTPUT -j ACCEPT #** # nat table chains # Port/protocol forwarding into LAN #iptables -t nat -A PREROUTING -p tcp -i $InetIF -d $ExtIP --dport 1723 -j DNAT --to-destination $VPNServ:1723 #iptables -t nat -A PREROUTING -p 47 -i $InetIF -d $ExtIP -j DNAT --to-destination $VPNServ # squid transparent web proxy iptables -t nat -A PREROUTING -i
Re: What is the best way to turn off the iptables
You could always flush/remove all the rules. But my suggestion is to understand why it is blocking you. You could do that by iptables -L -vn this prints the packets stats against each rule. Another handy tool is netcat. Combining both of these you could easily debug iptables scenario. For example to see your loopback scenario do the following in two shells shell1: nc -l -p 5000 # listen on port 5000 shell2: echo 'hello' | nc 127.0.0.1 5000 #send something to loopback port 5000 The message should be printed on shell1 and if you type something on shell1 it should come back to shell2 also. If it is coming or not, analyze the packet stats, see it is increased against which rule. $ echo 'hello' | nc 127.0.0.1 5000 (UNKNOWN) [127.0.0.1] 5000 (?) : Connection timed out I don't know how to analy/follow the packet states. Thanks, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAG9cJm=uwq1imdj4wtus-_5vme9tfkbx5+rxq87fem1a0gl...@mail.gmail.com
Re: What is the best way to turn off the iptables
On Fri, Jul 6, 2012 at 12:33 AM, Brian a...@cityscape.co.uk wrote: On Thu 05 Jul 2012 at 22:28:43 +0800, lina wrote: Hi, What is the best way to turn off the iptables? or come back to its default settings. Flush my current one. Depends on what rules you have set up. iptables -F and iptables -X should do it for you. 4] Are there someone willing to sharing some iptables template, a bit mature one with explaination. There might be but you do not really want to use someone else's rules. I will try to understand the template (like the one shared by Joe) first. Have you given any thought as to what you want to achieve, apart from some hazy (and probably mistaken) idea that you might be safer? As far I can see you have a couple of services running. Services are meant to be accessed but restrictions on access can generally be set in their configuration files. Try defining and saying exactly what it is you want netfilter/iptables to do for you. I don't know exactly what I wish for except the hazy secure feelings? hope can figure it out in future. Thanks, Best regards, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAG9cJmmH_h=zfsRqtYPN+vnYpCD=nsp7bdoaahr_dhzcfvj...@mail.gmail.com