How to: Linux flush or remove all iptables rules

last updated in Categories Debian Linux, Howto, Iptables, Linux, Networking, RedHat/Fedora Linux, Ubuntu Linux

Here is a small script that does this. Debian or Ubuntu GNU/Linux does not comes with any SYS V init script (located in /etc/init.d directory). You create a script as follows and use it to stop or flush the iptables rules. Please don’t type rules at the command prompt. Use the script to speed up work.

Warning: All the commands must be executed with root privileges.

Procedure for Debian / Ubuntu Linux (Generic method)

First, create /root/fw.stop script using text editor such as vi:

#!/bin/sh
echo "Stopping firewall and allowing everyone..."
ipt="/sbin/iptables"
## Failsafe - die if /sbin/iptables not found
[ ! -x "$ipt" ] && { echo "$0: \"${ipt}\" command not found."; exit 1; }
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt iptables -t raw -F
$ipt -t raw -X

Make sure you can execute the script:
# chmod +x /root/fw.stop

Run the script as root user:
# /root/fw.stop

How do I verify that my firewall rules are flushed out?

Type the following command:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

A note for RedHat (RHEL), CentOS and friends Linux user

Please note that RedHat Enterprise Linux (RHEL), Fedora and Centos Linux comes with pre-installed rc.d script, which can be used to stop the firewall, enter:
# /etc/init.d/iptables stop
OR
# service iptables stop
Sample outputs:

A note about firewalld on CentOS 7/Fedora (latest)/RedHat Enterprise Linux 7.x+ user

Type the following command to stop and flush all rules:
# systemctl stop firewalld

Virtuozzo iptables firewall

last updated in Categories CentOS, Howto, Iptables, Linux, RedHat/Fedora Linux

Recently I got chance to play with Virtuozzo VPS. Good news is they are good to reduced cost and bad news (as of Dec-04, 2004) they do not support full iptables rule set like –state and –log etc. After spending more than 4+ hrs I was able to setup simple but effective firewall on Red hat enterprise linux Virtuozzo VPS. Here is script. Make sure you customize it for your environment.

How to setup Linux as a router for DSL, T1 line etc

last updated in Categories Howto, Iptables, Linux, Networking, RedHat/Fedora Linux, Tips, Ubuntu Linux

There are a few ways to set up a Linux machine as route. Here is a relatively straight forward and common method. This method requires that the system use iptables for Network Address Translation (NAT).

This step by step small howto will help you to setup Linux router only in 2 minutes.

Configuration steps

=> First enable packet forwarding
=> Next setup Network Address Translation using IPTABLES MASQUERADE targets
=> Save the changes
=> Verify everything is working

I’m assuming that your setup is as follows:
A) You are using any Linux distro

B) eth0 is internet interface (connected to router for example) and eth1 connected to your internal lan (connected to your HUB/Switch for example).

My Linux   eth0  --> Internet
box       eth1  --> Lan

Step # 1 Turn on ip forwarding in kernel

1) Open linux kernel configuration file (you must be a root user or use su – command to become a root user):
# vi /etc/sysctl.conf

2) Add/modify following line:
net.ipv4.ip_forward = 1

Step # 2 Restart network
# /etc/init.d/network restartOR# service network restart

Step # 3 Setup IP forwarding and Masquerading (to act as router), you need to use NAT option of iptables as follows (add following rules to your iptables shell script) :
# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
# iptables --append FORWARD --in-interface eth1 -j ACCEPT

Step # 4 You are done! Test it with ping or dig:
# ping your-isp.com
# dig yahoo.com

Step # 5 Point all desktop client to your eth1 IP address as Router/Gateway. Or use DHCP to distribute this information (recommended)

Step # 6 Put code described in step # 3 to script and call it from /etc/rc.local file.