Security setting too strict

The_Nerd · 03-29-2008, 11:13 PM

Hello! I am not a newbie in linux, but I am a newbie to linux firewall and iptables. I've been trying to mess with my firewall to make it so any/all users I desire are restricted from the internet. I haven't accomplished this, and worse, I've somehow managed to make my system so strict that programs (such as DosBox) can not even open a listening port unless they are running as root. My cups printer server can not even listen to localhost... meaning I can't print. Is there an easy way to flush my firewall completely for now? After all, I am behind a gateway, so having an open firewall isn't a huge concern right now.

I am running Debian 4.
By the way, when I type the command: lsmod | grep 'iptables' it shows nothing, is this good?

jschiwal · 03-29-2008, 11:38 PM

Iptables is a command and not a kernel module. The actual firewall in the kernel is called netfilter and is built in without a module of its own. However there may be netfilter kernel modules that are loaded. For example, try "lsmod | grep conntrack".
The prefix that the module uses depends on your kernel version. On my kernel they start with "nf".

I find it convenient to look at an individual iptable's chain instead of an entire listing. For example:
sudo /usr/sbin/iptables -L INPUT

With only 6 to 10 entries it is easy to count where you want a rule inserted in that table. Sometimes a rule doesn't work because a previous rule has already handled the situation.

You can insert a new rule at a certain place in the chain.

Code:

       -I, --insert chain [rulenum] rule-specification
              Insert one or more rules in the selected chain as the given rule number.  So, if the rule number is 1, the rule or rules
              are inserted at the head of the chain.  This is also the default if no rule number is specified.

       -R, --replace chain rulenum rule-specification
              Replace a rule in the selected chain.  If the source and/or destination names resolve to multiple addresses, the command
              will fail.  Rules are numbered starting at 1.

       -L, --list [chain]
              List all rules in the selected chain.  If no chain is selected, all chains are listed.  As every other iptables command,
              it applies to the specified table (filter is the default), so NAT rules get listed by
               iptables -t nat -n -L
              Please  note that it is often used with the -n option, in order to avoid long reverse DNS lookups.  It is legal to spec‐
              ify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed.  The exact output  is
              affected by the other arguments given. The exact rules are suppressed until you use
               iptables -L -v

Note the rulenum argument. This will help you add or change rules in a particular chain and try them out before committing the changes.

win32sux · 03-30-2008, 12:11 AM

Quote:

Originally Posted by The_Nerd

Is there an easy way to flush my firewall completely for now?

This script will reset everything for you:

Code:

#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -Z
$IPT -Z -t nat
$IPT -Z -t mangle
$IPT -Z -t raw