Clear Iptables chains?

Clear Iptables chains?

[Denis JULIEN]

How can I clear all iptables chains before that my FW script be launched?

thank in advance

Denis

Re: Clear Iptables chains?

[Lukas Ruf]

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X

but rtfm.

--lpr

On Mon, 08 Jul 2002, Denis JULIEN wrote:

> How can I clear all iptables chains before that my FW script be launched?
> 
> thank in advance
> 
> Denis
> 

-- 
Lukas Ruf      Bellariastr. 11      CH-8002 Zuerich      +41 1 2813545
http://www.lpr.ch                                http://www.maremma.ch    
     http://www.{{topsy,nodeos}.net,{promethos,netbeast}.org}

Re: Clear Iptables chains?

[Antony Stone]

On Monday 08 July 2002 3:46 pm, Lukas Ruf wrote:

> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -F
> iptables -X

Don't forget:
iptables -F -t nat
iptables -F -t mangle

Antony.

> but rtfm.

Always good advice :-)

> On Mon, 08 Jul 2002, Denis JULIEN wrote:

> > How can I clear all iptables chains before that my FW script be launched?
> >
> > thank in advance
> >
> > Denis

Re: Clear Iptables chains?

[Antony Stone]

On Monday 08 July 2002 3:56 pm, Antony Stone wrote:

> On Monday 08 July 2002 3:46 pm, Lukas Ruf wrote:
> > iptables -P INPUT ACCEPT
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD ACCEPT

I'd prefer to see:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Then you add in the rules for the stuff your definitely know you want to 
allow.

> > iptables -F
> > iptables -X
>
> Don't forget:
> iptables -F -t nat
> iptables -F -t mangle
>
> Antony.
>
> > but rtfm.
>
> Always good advice :-)
>
> > On Mon, 08 Jul 2002, Denis JULIEN wrote:
> > > How can I clear all iptables chains before that my FW script be
> > > launched?
> > >
> > > thank in advance
> > >
> > > Denis

Re: Clear Iptables chains?

[Jan Humme]

On Monday 08 July 2002 17:22, Antony Stone wrote:
> On Monday 08 July 2002 3:56 pm, Antony Stone wrote:
> > On Monday 08 July 2002 3:46 pm, Lukas Ruf wrote:
> > > iptables -P INPUT ACCEPT
> > > iptables -P OUTPUT ACCEPT
> > > iptables -P FORWARD ACCEPT
>
> I'd prefer to see:
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> Then you add in the rules for the stuff your definitely know you want to
> allow.

Certainly.

What about default policies for the nat and mangle tables?

Or perhaps you find that it doesn't belong here?

Jan Humme.

Re: Clear Iptables chains?

[Ross Vandegrift]

On Mon, Jul 08, 2002 at 04:22:47PM +0100, Antony Stone wrote:
> On Monday 08 July 2002 3:56 pm, Antony Stone wrote:
> 
> > On Monday 08 July 2002 3:46 pm, Lukas Ruf wrote:
> > > iptables -P INPUT ACCEPT
> > > iptables -P OUTPUT ACCEPT
> > > iptables -P FORWARD ACCEPT
> 
> I'd prefer to see:
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
> 
> Then you add in the rules for the stuff your definitely know you want to 
> allow.

Be careful with doing this though, if you're managing a remote box.
It's *very* easy to cut yourself off the box when setting policy like
this.

I keep a script around that flushes all rules and sets default policy to
ACCEPT, and then make -P DROP the first three commands in the script to
configure iptables.  This prevents me from neutering my access when I'm
hacking around with the firewall rules.

Ross Vandegrift
ross@willow.seitz.com

Re: Clear Iptables chains?

[Antony Stone]

On Monday 08 July 2002 5:34 pm, Jan Humme wrote:

> On Monday 08 July 2002 17:22, Antony Stone wrote:

> > I'd prefer to see:
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> >
> > Then you add in the rules for the stuff your definitely know you want to
> > allow.
>
> Certainly.
>
> What about default policies for the nat and mangle tables?

Those should be ACCEPT, unless you're being sneaky/clever, and you definitely 
know what you are doing..

The reasons are simple:

1. The choice of whether to block or accept packets should be done in the 
filtering table - that's what it's for.   The nat table is for address 
translation, and the mangle table is for packet mangling.   Don't drop 
packets in the nat table; drop them in the filter table.

2. If you start setting default policies of anything except ACCEPT in the nat 
or mangle tables, it's very easy to stop all traffic through your firewall, 
and spend some time scratching your head trying to figure out why, because 
there are no rules in the filter table causing the behaviour you observe.

 

Antony.

Re: Clear Iptables chains?

[Jan Humme]

On Monday 08 July 2002 19:01, Antony Stone wrote:
> On Monday 08 July 2002 5:34 pm, Jan Humme wrote:
> > On Monday 08 July 2002 17:22, Antony Stone wrote:
> > > I'd prefer to see:
> > > iptables -P INPUT DROP
> > > iptables -P OUTPUT DROP
> > > iptables -P FORWARD DROP
> > >
> > > Then you add in the rules for the stuff your definitely know you want
> > > to allow.
> >
> > Certainly.
> >
> > What about default policies for the nat and mangle tables?
>
> Those should be ACCEPT, unless you're being sneaky/clever, and you
> definitely know what you are doing..
>
> The reasons are simple:
>
> 1. The choice of whether to block or accept packets should be done in the
> filtering table - that's what it's for.   The nat table is for address
> translation, and the mangle table is for packet mangling.   Don't drop
> packets in the nat table; drop them in the filter table.

Makes perfect sense.


> 2. If you start setting default policies of anything except ACCEPT in the
> nat or mangle tables, it's very easy to stop all traffic through your
> firewall, and spend some time scratching your head trying to figure out
> why, because there are no rules in the filter table causing the behaviour
> you observe.

..........as I already found out...............(!).

Jan Humme.