Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-05-2006, 09:01 AM
|
#1
|
LQ Newbie
Registered: Jul 2006
Posts: 1
Rep:
|
iptables wont stay off
I have tried and tried to get iptables to stop, but it persists in staying on. I tried service iptables stop, but that only works for fifteen minutes or so. I looked at cron. Basically, I can't access my FTP, POP, or SMTP servers. I checked iptables to see if the ports are open. They are. I tried nmap from localhost, and they were open. Then I tried from work nmap can't scan the server. Ports 80, 443, and 8443 work fine. When I try service iptables stop, I can access my ftp and pop servers, but only for about fifteen minutes. Is there any other way to turn iptables off?
|
|
|
07-05-2006, 09:35 AM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
What distro are you using?
Is there any other way to turn iptables off?
You could try removing the iptables modules with rmmod, but that isn't really addressing the issue of why it's getting restarted in the first place.
|
|
|
07-07-2006, 08:51 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
welcome to LQ!!!
while you figure-out what exactly is restarting your iptables (kinda weird), this script will reset your iptables configuration so that it doesn't firewall anything:
Code:
#!/bin/sh
IPT="/sbin/iptables"
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
after running the script, do an "iptables-save" or whatever distro-specific saving method you use... this way when iptables is reloaded, it still won't be filtering anything... make sure you have forwarding disabled in your sysctl.conf...
once again, this is just meanwhile you figure-out what's going-on, cuz it is indeed very weird to have your iptables get reloaded after a while automatically... perhaps you have some script which runs some iptables rules upon a certain event?? what do the rules look like when they get activated on their own after having cleared all your chains with my script above??
Last edited by win32sux; 07-07-2006 at 08:53 PM.
|
|
|
07-07-2006, 08:57 PM
|
#4
|
Senior Member
Registered: Jun 2006
Location: Hyderabad, India
Distribution: Fedora
Posts: 1,191
Rep:
|
try this
service iptables stop
chkconfig iptables off
|
|
|
07-07-2006, 09:06 PM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by w3bd3vil
try this
service iptables stop
chkconfig iptables off
|
hi w3bd3vil... i'm not very familiar with redhat-based distros, so forgive me if this is a silly question: does chkconfig have some kinda functionality that would start the iptables service after a certain time?? cuz if so, then that's likely what was happening to the OP...
|
|
|
07-07-2006, 11:47 PM
|
#6
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
does chkconfig have some kinda functionality that would start the iptables service after a certain time??
|
Not that I'm aware of. It controls which services are started at boot and is basically a front-end for the /etc/rc.d/ startup scripts. Other than a home-brew Cronjob, the only time-based monitor/control I can think of that would be turning on services is Mandrake/Mandriva's msec.
|
|
|
07-25-2006, 04:02 AM
|
#7
|
Member
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330
Rep:
|
Hi !
I just tried again. It failed after 15 mins and I checked the rule by iptables -L. It does show the rule is the one I loaded. It didn't reload to the original rules.
Apparently the script i had failed to work after 15 mins...why after some time, why not just not work right after i loaded it....weird...
|
|
|
07-25-2006, 06:58 PM
|
#8
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Are you using any rules in you script that contain hostnames rather than IP addresses? What type of internet connection do you have (cable/dsl/dialup)? Is it a dynamic connection(does the IP change every so often) or is the IP address static? Is the box connected directly to the internet or is there some type of router in between?
Also, do a test: Rerun your iptables script and wait until it stops working. At that point make note of the iptables rules using:
iptables -vnL > iptables-before
Now re-run your script. If the connection starts working, then make another note of the iptables rules with:
iptables -vnL > iptables-after
Now compare the two iptables outputs and look for any differences (especially in IP addresses).
|
|
|
07-25-2006, 07:39 PM
|
#9
|
Member
Registered: Apr 2005
Location: Canada
Distribution: Slackware
Posts: 496
Rep:
|
This has always worked as my "stop firewall" script.
Code:
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
Sounds like there might be some process that is trying to reset the iptables every so often.
|
|
|
07-28-2006, 03:35 PM
|
#10
|
Member
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257
Rep:
|
Hmm now this might sound off topic ... but you might want to do a grep to find out where all you have the words "iptables -L" in your files.... from there you can narrow down your searches to where all you dont want iptables to be there...
Also look at the "at" scheduler files as well just incase you've set something there....
|
|
|
All times are GMT -5. The time now is 12:04 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|