* iptables -f locks me out?
@ 2003-10-18 19:37 Eric Gibson
2003-10-19 4:43 ` Jim Carter
0 siblings, 1 reply; 2+ messages in thread
From: Eric Gibson @ 2003-10-18 19:37 UTC (permalink / raw)
To: netfilter
Hey,
Is there anyway around this? It never used to happen with ipchains... Whenever I
run iptables -F, or stop my shorewall script with it's init script (or if there is
an error in the
config file, and it stops itself.) it completely locks me out of remote access and I
have to call up my admin and have him drive 15 miles to the site and reboot the
machine (I'm out of state).
It's really annoying... I'm running Redhat 9.0, 2.4.20-20.9 kernel...
Eric
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: iptables -f locks me out?
2003-10-18 19:37 iptables -f locks me out? Eric Gibson
@ 2003-10-19 4:43 ` Jim Carter
0 siblings, 0 replies; 2+ messages in thread
From: Jim Carter @ 2003-10-19 4:43 UTC (permalink / raw)
To: Eric Gibson; +Cc: netfilter
On Sat, 18 Oct 2003, Eric Gibson wrote:
> Is there anyway around this? It never used to happen with ipchains...
> Whenever I run iptables -F, or stop my shorewall script with it's init
> script (or if there is an error in the config file, and it stops itself.)
> it completely locks me out of remote access and I...
"iptables -F" would clear the filter table, and if the nat or mangle tables
still had rules, something bad might happen. Also the chains still have
their individual policies, some of which are DROP. That's probably what
is killing you. You need to set the policies of all the builtin chains to
ACCEPT.
Consider using iptables-save and iptables-restore. I've replaced my
original firewall script with one like this. For the payload I dumped my
rules using iptables-save, and then neatened and annotated them, replacing
numeric ports and protocols with keys from /etc/services and
/etc/protocols. If there's a syntax error in any one table, that table
will not be replaced; otherwise it is replaced atomically. No need to
flush rules, opening up your box for a second.
iptables-restore <<EOF
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# auth queries need to be rejected actively to avoid annoying timeouts.
-A INPUT -p tcp -m tcp --dport auth -j REJECT --reject-with icmp-port-unreachable
COMMIT
*nat
:PREROUTING DROP [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# My user-defined chain
:COUCHNET - [0:0]
# Ports and protocols that are allowed
# ssh secure shell
-A PREROUTING -p tcp -m tcp --dport ssh -j ACCEPT
# etc. etc.
EOF
It also has a function which restores a pristine state (with ACCEPT
policies), which is executed when you do "/etc/init.d/firewall stop".
Hope this helps!
James F. Carter Voice 310 825 2897 FAX 310 206 6673
UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc@math.ucla.edu http://www.math.ucla.edu/~jimc (q.v. for PGP key)
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-10-19 4:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-18 19:37 iptables -f locks me out? Eric Gibson
2003-10-19 4:43 ` Jim Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.