Find the answer to your Linux question:
Results 1 to 6 of 6
Hi All, I have created my own iptable script, it works fine. But when I do iptables -F, network goes down. I am unable to ssh, unable to ping. selinux ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2007
    Posts
    22

    Exclamation Issue with the IPTABLE


    Hi All,

    I have created my own iptable script, it works fine. But when I do iptables -F, network goes down. I am unable to ssh, unable to ping. selinux is disabled so the default firewall.

    Below is my script and iptables -L output.

    Code:
    #!/bin/sh
    
    IPT=/sbin/iptables
    
    #To remove old policies in iptables
    
    $IPT -F
    
    #Polcies
    
    $IPT -P OUTPUT ACCEPT
    $IPT -P INPUT DROP
    $IPT -P FORWARD DROP
    $IPT -t nat -P OUTPUT ACCEPT
    $IPT -t nat -P PREROUTING ACCEPT
    $IPT -t nat -P POSTROUTING ACCEPT
    $IPT -N SERVICES
    
    #Allowed input
    
    $IPT -A INPUT --in-interface lo -j ACCEPT
    $IPT -A INPUT -j SERVICES
    
    #Allow responce
    $IPT -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
    $IPT -A INPUT -p icmp --icmp-type any -j ACCEPT
    #$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
    #$IPT -A INPUT -j LOG --log-prefix " FAIL! "
    
    #Allowed services
    
    #For SSH connection
    $IPT -A SERVICES -p tcp --dport 22 -j ACCEPT
    
    #For HTTP connection
    $IPT -A SERVICES -p tcp --dport 80 -j ACCEPT
    
    
    #For MYSQL connection
    $IPT -A SERVICES -p tcp --dport 3306 -j ACCEPT
    
    #for VNC
    #$IPT -A SERVICES -m tcp -p tcp --dport 5901 -j ACCEPT
    
    #for ftp
    $IPT -A SERVICES -p tcp --dport 20 -j ACCEPT
    $IPT -A SERVICES -p udp --dport 20 -j ACCEPT
    $IPT -A SERVICES -p tcp --dport 21 -j ACCEPT
    $IPT -A SERVICES -p udp --dport 21 -j ACCEPT
    
    #For NTP port
    $IPT -A SERVICES -p tcp --dport 123 -j ACCEPT
    $IPT -A SERVICES -p udp --dport 123 -j ACCEPT
    
    #for Syslogs
    
    $IPT -A INPUT -p udp -i eth0 -s x.x.x.x -d x.x.x.x --dport 514 -j ACCEPT
    $IPT -A INPUT -p udp -i eth0 -s x.x.x.x -d x.x.x.x --dport 514 -j ACCEPT
    $IPT -A INPUT -p udp -i eth0 -s x.x.x.x -d x.x.x.x --dport 514 -j ACCEPT
    $IPT -A INPUT -p udp -i eth0 -s x.x.x.x -d x.x.x.x --dport 514 -j ACCEPT
    
    #To accpet the connection from a range for print server
    
    #$IPT -A SERVICES -m iprange --src-range x.x.x.x-x.x.x.x -p tcp --dport 631 -j ACCEPT
    #$IPT -A SERVICES -m iprange --src-range x.x.x.x-x.x.x.x -p udp --dport 631 -j ACCEPT
    
    #for port forwarding
    #$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
    #$IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT
    
    ### log and drop everything else
    $IPT -A INPUT -j LOG
    $IPT -A FORWARD -j LOG
    $IPT -A INPUT -j DROP
    Code:
    iptables -v -L
    Chain INPUT (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
       14   814 ACCEPT     all  --  lo     any     anywhere             anywhere
     1465  122K SERVICES   all  --  any    any     anywhere             anywhere
       33  2498 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
      750 63000 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any
        0     0 ACCEPT     udp  --  eth0   any     x.x.x.x       	    x.x.x.x    	        udp dpt:syslog
        0     0 ACCEPT     udp  --  eth0   any     x.x.x.x              x.x.x.x             udp dpt:syslog
        0     0 ACCEPT     udp  --  eth0   any     x.x.x.x              x.x.x.x             udp dpt:syslog
        0     0 ACCEPT     udp  --  eth0   any     x.x.x.x              x.x.x.x             udp dpt:syslog
       37 10933 LOG        all  --  any    any     anywhere             anywhere            LOG level warning
       37 10933 DROP       all  --  any    any     anywhere             anywhere
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
        0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level warning
    
    Chain OUTPUT (policy ACCEPT 1557 packets, 200K bytes)
     pkts bytes target     prot opt in     out     source               destination
    
    Chain SERVICES (1 references)
     pkts bytes target     prot opt in     out     source               destination
      555 34660 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
       59  8501 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:http
        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:mysql
        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp-data
        0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ftp-data
        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp
        0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ftp
        0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ntp
       31  2356 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ntp
    Thanks in advance.!!!!

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Hi,
    network goes down
    That should not be happening - the two (iptables and network scripts) are not tied. Do you have local access to the box, where you can verify whether or not networking is truly up?

    I haven't looked at your rules, but before that - have you tried instead of "iptables -F", just stopping the firewall? E.g.:
    Code:
    service iptables stop
    Of course, you may have a good reason for just flushing the rules.

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Your policy rules say to DROP all input and forward. If you delete all the rules for input and forward then the policy is the last stop and since it is set to DROP everything is dropped.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Oct 2007
    Posts
    22
    Hi Robert,

    My connection goes drop after "iptables -F", and If I do "iptables -F" I hope it will flush all the rules. Isn't it?

    Regards,
    Sirvesh

  6. #5
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,410
    No, iptables -F flushes all rules, but will not change the default policy.
    You must always face the curtain with a bow.

  7. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    I would say if you need to clear the rules you should stop the firewall instead of flushing just the rules or create another script for flushing and include "-P ACCEPT" for your policies some thing like this;

    Code:
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -F
    Be careful with this. If you are connected to the internet you open the box up to everyone.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •