Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i used a script (seen at the end of this post) to add lots =of iptable rules now i want to remove them they are basically only blocking certain ip adresses but i want to remove them.
if i ie ping one of the ip adresses i get packet filtered as response.
Thanks for helping.
Code:
#!/bin/sh
#
# peerguard - Version 0.2
# Author: Brad Cable
# License: GPL Version 2
#
### Configuration ###
# uncomment and change this to use a HTTP proxy to retreive the list
#export http_proxy="0.0.0.0:80"
# file to download from the peerguardian database, go to http://www.methlabs.org/sync/ for possible values
pgfile="guarding.p2p"
# temporary directory to use
workdirectory="/tmp/pg"
# path to iptables
iptables="/usr/sbin/iptables"
### End of Configuration ###
########################################
### DO NOT TOUCH THE REST!!! ###
########################################
if [ "$UID" != "0" ]; then
echo "You must be root to run this script.";
exit;
fi
cleanup(){
if [ -d "$workdirectory" ]; then
rm -r $workdirectory
fi
rm -rf $pgfile
rm -rf $pgfile.zip
}
cleanup
mkdir $workdirectory
chown -R nobody $workdirectory
chmod +w $workdirectory
cd $workdirectory
reject="-j REJECT --reject-with icmp-host-unreachable"
nob="su - nobody -c "
wget="cd $workdirectory;wget -q"
if [ ! -z "$http_proxy" ]; then
wget="export http_proxy='${http_proxy}';$wget"
fi
echo
echo -n "Downloading PeerGuardian File: $pgfile"
$nob"$wget http://www.methlabs.org/sync/$pgfile.zip"
echo -n "... Unzipping..."
unzip $pgfile.zip &> /dev/null
echo -n " Done."
echo
for line in `cat $pgfile`; do
iprange=`echo $line | cut -d ':' -f2`
if [ "$iprange" == "$line" ] || [ "$iprange" == "" ]; then
continue
fi
iprange=${iprange:0:${#iprange}-1}
$iptables -A INPUT -m iprange --src-range $iprange -j DROP
$iptables -A OUTPUT -m iprange --dst-range $iprange $reject
echo " Blocked: $iprange"
done
echo "Blocking Complete"
echo
cleanup
to flush the rules the script added to the OUTPUT chain. With the rules removed, you will be able to resume connecting to the IPs the script blocked, such as pinging them. Note that this will also flush out any rules you had in the OUTPUT chain before you ran the script.
You can also flush the rules from the input chain similarily (as root):
to flush out all the rules the script added. Again, this will also flush any rules you originally had before you ran the script.
This will leave you wide open. In case you need it, here's a basic firewall script that should do while you figure out what you want to do:
Code:
#!/bin/sh
## INPUT chain ##
# Explicitly deny that which is not allowed.
iptables --policy INPUT DROP
# Allow anything from the loopback device.
iptables --append INPUT \
--in-interface lo \
--jump ACCEPT
# Allow anything related to an outgoing connection.
iptables --append INPUT \
--match state \
--state ESTABLISHED,RELATED \
--jump ACCEPT
## OUTPUT chain ##
# Allow anything on the way out.
iptables --policy OUTPUT ACCEPT
Is gg.sh the script that adds all the rules? If so, you re-added the rules after flushing them out.
But that's okay, I think I see what you want to do now. It looks like you want to block the IPs on the way in, but not on the way out. To achieve this, flush the chains again, comment out or remove this line in the script:
Code:
$iptables -A OUTPUT -m iprange --dst-range $iprange $reject
(it's about 10 lines from the bottom), and re-run the script.
what i want is do remove all added ips from the iptables so the iptables look like they did before i ran the script the first time ie
before running script:
something
something
something
After running the script:
something
something
something
block incoming an ipaddrese from the script
block outgoing an ipadress from thre script
and so on
so what i want is for the iptable rules to look like they did before i ran the script.
and no gg.sh is the script you gave me.
Last edited by greenthing; 02-27-2005 at 04:11 PM.
This is what it would look like if the script you started with was in effect (iptables segfaulted when I tried to use the hostname www.riaa.com, so I had to use the IP address):
i did the dame with a couple of others and they all gave host not found so that has to mean theire on the list and that the list is still there in iptables.
here is the output from iptables --list thought i might help.
I don't think your firewall rules are filtering anything because there's no reference to the user-defined chains in the INPUT, OUTPUT, or FORWARD chains. So, although there a bunch of rules in there, none of them are doing anything.
You have to strip off the http:// and trailing slash from an Internet address before you ping it, because they're not part of the hostname. Try:
gr@ad:~> ping www.nyccouncil.info
PING nyccouncil.info (205.247.142.195) 56(84) bytes of data.
From sl-cityo22-1-1.sprintlink.net (144.223.74.198): icmp_seq=2 Packet filtered
From sl-cityo22-1-1.sprintlink.net (144.223.74.198) icmp_seq=2 Packet filtered
From sl-cityo22-1-0.sprintlink.net (144.223.74.194) icmp_seq=3 Packet filtered
From sl-cityo22-1-0.sprintlink.net (144.223.74.194) icmp_seq=4 Packet filtered
From sl-cityo22-1-1.sprintlink.net (144.223.74.198) icmp_seq=6 Packet filtered
--- nyccouncil.info ping statistics ---
6 packets transmitted, 0 received, +5 errors, 100% packet loss, time 5000ms
so it all seems to be working.
i would like to do one last thing for me though please ping www.nyccouncil.info to make sure that the packet filtered thing isnt because of me.
lyle@bowman:~$ ping www.nyccouncil.info
PING nyccouncil.info (205.247.142.195) 56(84) bytes of data.
From sl-cityo22-1-0.sprintlink.net (144.223.74.194) icmp_seq=1 Packet filtered
From sl-cityo22-1-0.sprintlink.net (144.223.74.194) icmp_seq=3 Packet filtered
From sl-cityo22-1-1.sprintlink.net (144.223.74.198) icmp_seq=4 Packet filtered
--- nyccouncil.info ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3013ms
Be careful not to include the trailing slash in the hostname when using ping; when ping does the DNS lookup, it won't find anything with a trailing slash, and ping will report "unknown host."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.