LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-04-2004, 10:19 PM   #1
plan9
Member
 
Registered: May 2004
Location: USA
Distribution: Slackware-Current
Posts: 74

Rep: Reputation: 15
how to stop/start/restart iptables?


wow- slackware has seriously humbled me today. yesterday was great: i learned alot, but today i got slapped around big time!

anyways-

i'm running slackware-current and i'm loading rc.firewall at boot. I had a problem today with ntalk and thought that it might be firewall related so i figured i'd turn it off and see if it made a difference.

how do you turn a slackware iptables /etc/rc.d/rc.firewall off with out rebooting?

i am seriously looking forward to the day when i can answer more questions than i need to ask. until then, thanks for helping!

-9
 
Old 08-04-2004, 10:28 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
In the last 4 versions of slack that I've used (including
10) there was no rc.firewall, so ...

How about a
cat /etc/rc.d/rc.firewall
and check how it works? :)


Cheers,
Tink
 
Old 08-04-2004, 11:02 PM   #3
foo_bar_foo
Senior Member
 
Registered: Jun 2004
Posts: 2,553

Rep: Reputation: 52
i will asume you made the firewall script yourself
make another script called firewall.stop
this is turning off NAT routing as well
so change if you don't want that
also chmod 755 so it will run
Code:
#!/bin/bash
##/etc/init.d/firewall.stop
# deactivate IP-Forwarding 
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -Z
/sbin/iptables -F
/sbin/iptables -t nat         -F PREROUTING
/sbin/iptables -t nat         -F OUTPUT
/sbin/iptables -t nat         -F POSTROUTING
/sbin/iptables -t mangle      -F PREROUTING
/sbin/iptables -t mangle      -F OUTPUT
/sbin/iptables -X
/sbin/iptables -P INPUT       ACCEPT
/sbin/iptables -P FORWARD     ACCEPT
/sbin/iptables -P OUTPUT      ACCEPT
 
Old 08-05-2004, 07:01 PM   #4
plan9
Member
 
Registered: May 2004
Location: USA
Distribution: Slackware-Current
Posts: 74

Original Poster
Rep: Reputation: 15
Thank you both for your help. You know, when I was getting my slack box up I wanted to get a firewall up asap. I found one that did what I was looking for (drop everything but ssh) and followed the directions that said put into /etc/rc.d/rc.firewall.

the rc.firewall file did exist, but it was empty. Below is a copy of what I have been using. I know that you're probably shaking your heads because I obviously have no idea how iptables works (yes, it's true- I admit it) but please be patient with me- there is alot to learn.

a check with nmap shows that i have no ports open- and i could get into my box with ssh, so after I had the rc.firewall script installed I just went on to something else and tabled the firewall question until i had more time to get back to it (now- i suppose is a good time).

Does slack come with another utility for firewalls? I thought that you had to write your own script for rc.firewall?! I bet anything out there will run on slack, and it's just up to the individual to figure out what they want to use... so many options with slack.

anyways, here's the rc.firewall- and thanks again for the help!!

#!/bin/bash

# rc.firewall for
# Basic Slackware Security

# These two rules set the default policies, i.e. what to do if a
# packet doesn't match any other rule, to drop any packet coming
# into (INPUT) or routing through (FORWARD) the box.
iptables -P INPUT DROP
iptables -P FORWARD DROP

# These rules are added (-A) to the INPUT chain. They allow packets
# from any previously established connections and accept anything
# from the loopback interface.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT

# This rule added to the INPUT chain accepts any ssh connections.
iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
 
Old 08-05-2004, 07:12 PM   #5
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
That looks like a
iptables -F
for stopping, and
/etc/rc.d/rc.firewall
for starting to me ;)


Cheers,
Tink
 
Old 08-06-2004, 03:58 PM   #6
plan9
Member
 
Registered: May 2004
Location: USA
Distribution: Slackware-Current
Posts: 74

Original Poster
Rep: Reputation: 15
Tinkster:

Thanks for your post. When I typed "iptables -F" I lost my connection to my box (i connect with putty). I had to go and type "/etc/rc.d/rc.firewall" at the terminal to be able to reconnect with putty.

I think that I will now go and read up on how iptables works, as my ignorance is bothering me!!

Please let me know if you know of a good beginners guide. I'll hit the web first, then the man pages (which can be hard to comprehend).

Thanks again!
 
Old 08-06-2004, 04:12 PM   #7
Charalambos
Member
 
Registered: Aug 2004
Location: Switzerland
Distribution: debian
Posts: 149

Rep: Reputation: 15
http://iptables-tutorial.frozentux.n...-tutorial.html
http://www.netfilter.org/
 
Old 08-06-2004, 04:41 PM   #8
foo_bar_foo
Senior Member
 
Registered: Jun 2004
Posts: 2,553

Rep: Reputation: 52
Quote:
Originally posted by plan9
Tinkster:

When I typed "iptables -F" I lost my connection
yea
this stuff is easy -- all you need is "man iptables" to figure it out
look at what i put
-Z zero out the counters (default filter table)
-F flush the rules (default filter table)
-F flush the rules for (-t = table) nat and mangle tables
note that modern kernels have three other built-in chains for mangle that go unused by me but possibly i should have included them as well in my stop script !
then:
-X delete the chain
-P now i have to set some new policies
namely that INPUT FORWARD and OUTPUT should function normally (default filter table)

like majic -- firewall filtering is stopped and full functionality is restored
 
Old 08-06-2004, 05:40 PM   #9
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally posted by plan9
[B]Tinkster:

Thanks for your post. When I typed "iptables -F" I lost my connection to my box (i connect with putty). I had to go and type "/etc/rc.d/rc.firewall" at the terminal to be able to reconnect with putty.
Sorry about that, I didn't think you'd be using a NATed
connection but rather be on the local network or even
console when you asked. And yes, if the machine you're
talking to is on an interface that is being handled by the
firewall (which NATing is) you'll fall off, too, when you
turn the firewall off :)



Cheers,
Tink
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
VSFTPD Not responding to restart/stop/start commands even in root! phoenix09 Linux - Software 7 09-06-2005 12:28 AM
how can i start, stop or restart Paxmaster Slackware 3 11-27-2004 02:31 PM
Is it possible to start stop and restart a linux service from a webpage? psychodreams Linux - Newbie 3 04-27-2004 02:24 PM
Start Stop Restart Services Sifvion Slackware 6 09-14-2002 04:13 AM
when i restart SAMBA,it says:stop samba failed,start SAMBA OK! whepin Linux - Networking 3 12-26-2001 06:54 AM


All times are GMT -5. The time now is 03:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration