LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-05-2006, 09:01 AM   #1
patrickdavis
LQ Newbie
 
Registered: Jul 2006
Posts: 1

Rep: Reputation: 0
iptables wont stay off


I have tried and tried to get iptables to stop, but it persists in staying on. I tried service iptables stop, but that only works for fifteen minutes or so. I looked at cron. Basically, I can't access my FTP, POP, or SMTP servers. I checked iptables to see if the ports are open. They are. I tried nmap from localhost, and they were open. Then I tried from work nmap can't scan the server. Ports 80, 443, and 8443 work fine. When I try service iptables stop, I can access my ftp and pop servers, but only for about fifteen minutes. Is there any other way to turn iptables off?
 
Old 07-05-2006, 09:35 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
What distro are you using?

Is there any other way to turn iptables off?
You could try removing the iptables modules with rmmod, but that isn't really addressing the issue of why it's getting restarted in the first place.
 
Old 07-07-2006, 08:51 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
welcome to LQ!!!

while you figure-out what exactly is restarting your iptables (kinda weird), this script will reset your iptables configuration so that it doesn't firewall anything:
Code:
#!/bin/sh

IPT="/sbin/iptables"

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
after running the script, do an "iptables-save" or whatever distro-specific saving method you use... this way when iptables is reloaded, it still won't be filtering anything... make sure you have forwarding disabled in your sysctl.conf...

once again, this is just meanwhile you figure-out what's going-on, cuz it is indeed very weird to have your iptables get reloaded after a while automatically... perhaps you have some script which runs some iptables rules upon a certain event?? what do the rules look like when they get activated on their own after having cleared all your chains with my script above??

Last edited by win32sux; 07-07-2006 at 08:53 PM.
 
Old 07-07-2006, 08:57 PM   #4
w3bd3vil
Senior Member
 
Registered: Jun 2006
Location: Hyderabad, India
Distribution: Fedora
Posts: 1,191

Rep: Reputation: 49
try this

service iptables stop
chkconfig iptables off
 
Old 07-07-2006, 09:06 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by w3bd3vil
try this

service iptables stop
chkconfig iptables off
hi w3bd3vil... i'm not very familiar with redhat-based distros, so forgive me if this is a silly question: does chkconfig have some kinda functionality that would start the iptables service after a certain time?? cuz if so, then that's likely what was happening to the OP...
 
Old 07-07-2006, 11:47 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
does chkconfig have some kinda functionality that would start the iptables service after a certain time??
Not that I'm aware of. It controls which services are started at boot and is basically a front-end for the /etc/rc.d/ startup scripts. Other than a home-brew Cronjob, the only time-based monitor/control I can think of that would be turning on services is Mandrake/Mandriva's msec.
 
Old 07-25-2006, 04:02 AM   #7
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Rep: Reputation: 30
Hi !

I just tried again. It failed after 15 mins and I checked the rule by iptables -L. It does show the rule is the one I loaded. It didn't reload to the original rules.

Apparently the script i had failed to work after 15 mins...why after some time, why not just not work right after i loaded it....weird...
 
Old 07-25-2006, 06:58 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Are you using any rules in you script that contain hostnames rather than IP addresses? What type of internet connection do you have (cable/dsl/dialup)? Is it a dynamic connection(does the IP change every so often) or is the IP address static? Is the box connected directly to the internet or is there some type of router in between?

Also, do a test: Rerun your iptables script and wait until it stops working. At that point make note of the iptables rules using:

iptables -vnL > iptables-before

Now re-run your script. If the connection starts working, then make another note of the iptables rules with:

iptables -vnL > iptables-after

Now compare the two iptables outputs and look for any differences (especially in IP addresses).
 
Old 07-25-2006, 07:39 PM   #9
Vgui
Member
 
Registered: Apr 2005
Location: Canada
Distribution: Slackware
Posts: 496

Rep: Reputation: 31
This has always worked as my "stop firewall" script.

Code:
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
Sounds like there might be some process that is trying to reset the iptables every so often.
 
Old 07-28-2006, 03:35 PM   #10
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Hmm now this might sound off topic ... but you might want to do a grep to find out where all you have the words "iptables -L" in your files.... from there you can narrow down your searches to where all you dont want iptables to be there...

Also look at the "at" scheduler files as well just incase you've set something there....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Icons wont stay where I put them?? M$ISBS Linux - Software 1 05-02-2005 02:17 AM
Haldaemon wont stay running RemusX2 Linux - Software 2 04-13-2005 07:19 PM
screen saver wont stay on AnimaSola Linux - Software 0 01-27-2005 10:25 PM
esd wont stay off! captgoodnight Linux - Software 1 03-16-2004 05:04 AM
Why wont you stay connected? phreakazoid Linux - Networking 1 07-22-2003 04:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration