Results 1 to 6 of 6
Hi All,
I have created my own iptable script, it works fine. But when I do iptables -F, network goes down. I am unable to ssh, unable to ping. selinux ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 02-04-2013 #1Just Joined!
- Join Date
- Oct 2007
- Posts
- 21
Issue with the IPTABLE
Hi All,
I have created my own iptable script, it works fine. But when I do iptables -F, network goes down. I am unable to ssh, unable to ping. selinux is disabled so the default firewall.
Below is my script and iptables -L output.
Code:#!/bin/sh IPT=/sbin/iptables #To remove old policies in iptables $IPT -F #Polcies $IPT -P OUTPUT ACCEPT $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -t nat -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -N SERVICES #Allowed input $IPT -A INPUT --in-interface lo -j ACCEPT $IPT -A INPUT -j SERVICES #Allow responce $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p icmp --icmp-type any -j ACCEPT #$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT #$IPT -A INPUT -j LOG --log-prefix " FAIL! " #Allowed services #For SSH connection $IPT -A SERVICES -p tcp --dport 22 -j ACCEPT #For HTTP connection $IPT -A SERVICES -p tcp --dport 80 -j ACCEPT #For MYSQL connection $IPT -A SERVICES -p tcp --dport 3306 -j ACCEPT #for VNC #$IPT -A SERVICES -m tcp -p tcp --dport 5901 -j ACCEPT #for ftp $IPT -A SERVICES -p tcp --dport 20 -j ACCEPT $IPT -A SERVICES -p udp --dport 20 -j ACCEPT $IPT -A SERVICES -p tcp --dport 21 -j ACCEPT $IPT -A SERVICES -p udp --dport 21 -j ACCEPT #For NTP port $IPT -A SERVICES -p tcp --dport 123 -j ACCEPT $IPT -A SERVICES -p udp --dport 123 -j ACCEPT #for Syslogs $IPT -A INPUT -p udp -i eth0 -s x.x.x.x -d x.x.x.x --dport 514 -j ACCEPT $IPT -A INPUT -p udp -i eth0 -s x.x.x.x -d x.x.x.x --dport 514 -j ACCEPT $IPT -A INPUT -p udp -i eth0 -s x.x.x.x -d x.x.x.x --dport 514 -j ACCEPT $IPT -A INPUT -p udp -i eth0 -s x.x.x.x -d x.x.x.x --dport 514 -j ACCEPT #To accpet the connection from a range for print server #$IPT -A SERVICES -m iprange --src-range x.x.x.x-x.x.x.x -p tcp --dport 631 -j ACCEPT #$IPT -A SERVICES -m iprange --src-range x.x.x.x-x.x.x.x -p udp --dport 631 -j ACCEPT #for port forwarding #$IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 #$IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT ### log and drop everything else $IPT -A INPUT -j LOG $IPT -A FORWARD -j LOG $IPT -A INPUT -j DROP
Thanks in advance.!!!!Code:iptables -v -L Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 14 814 ACCEPT all -- lo any anywhere anywhere 1465 122K SERVICES all -- any any anywhere anywhere 33 2498 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 750 63000 ACCEPT icmp -- any any anywhere anywhere icmp any 0 0 ACCEPT udp -- eth0 any x.x.x.x x.x.x.x udp dpt:syslog 0 0 ACCEPT udp -- eth0 any x.x.x.x x.x.x.x udp dpt:syslog 0 0 ACCEPT udp -- eth0 any x.x.x.x x.x.x.x udp dpt:syslog 0 0 ACCEPT udp -- eth0 any x.x.x.x x.x.x.x udp dpt:syslog 37 10933 LOG all -- any any anywhere anywhere LOG level warning 37 10933 DROP all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere LOG level warning Chain OUTPUT (policy ACCEPT 1557 packets, 200K bytes) pkts bytes target prot opt in out source destination Chain SERVICES (1 references) pkts bytes target prot opt in out source destination 555 34660 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 59 8501 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:mysql 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp-data 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ftp-data 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ftp 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ntp 31 2356 ACCEPT udp -- any any anywhere anywhere udp dpt:ntp
- 02-05-2013 #2Trusted Penguin
- Join Date
- May 2011
- Posts
- 3,663
Hi,
That should not be happening - the two (iptables and network scripts) are not tied. Do you have local access to the box, where you can verify whether or not networking is truly up?network goes down
I haven't looked at your rules, but before that - have you tried instead of "iptables -F", just stopping the firewall? E.g.:
Of course, you may have a good reason for just flushing the rules.Code:service iptables stop
- 02-05-2013 #3Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,613
Your policy rules say to DROP all input and forward. If you delete all the rules for input and forward then the policy is the last stop and since it is set to DROP everything is dropped.
- 02-05-2013 #4Just Joined!
- Join Date
- Oct 2007
- Posts
- 21
Hi Robert,
My connection goes drop after "iptables -F", and If I do "iptables -F" I hope it will flush all the rules. Isn't it?
Regards,
Sirvesh
- 02-05-2013 #5Trusted Penguin
- Join Date
- May 2009
- Location
- Munich
- Posts
- 2,967
No, iptables -F flushes all rules, but will not change the default policy.
You must always face the curtain with a bow.
- 02-05-2013 #6Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,613
I would say if you need to clear the rules you should stop the firewall instead of flushing just the rules or create another script for flushing and include "-P ACCEPT" for your policies some thing like this;
Be careful with this. If you are connected to the internet you open the box up to everyone.Code:iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
