POLL RESULTS: Do you use a firewall on dedicated Linux / BSD box?

Posted on in Categories Poll last updated November 24, 2007

In last months reader poll I asked about Firewall on dedicated UNIX / Linux box.

Poll Result: Do you use a firewall on dedicated Linux / BSD box?

Do we really need a firewall?

Personally, I install firewall on all boxes to filter out unwanted junk and IPs; even if box is only running public service such as a web server. The overall idea is to limit access and reduce liability on my part if serer got rooted (read as compromised). Remember, bad boys never play by the rules.

No Route to Host error and solution

Posted on in Categories Debian Linux, Gentoo Linux, Linux, Networking, RedHat/Fedora Linux, Tips, Troubleshooting, Ubuntu Linux last updated October 16, 2007

I am getting error that read as No Route to Host. I am trying to ping my ISP gateway as well as DNS server but I am getting this error. How do I solve this problem?

This problem indicate networking conflicts or some sort of networking configuration problem.

Here are things to check:

Can you ping to your local router interface (such as

Make sure your card (eth0) is properly configured with correct IP address and router address. Use ifconfig command to configure IP address and route command to setup correct router address. If you prefer to use GUI tools:

  • redhat-config-network – Works on Red Hat and Fedora Linux/Cent OS.
  • network-admin – Debian and Other Linux distribution use this GUI too

Use above two GUI tools to setup correct IP address, DNS address and router address.

b) Make sure firewall is not blocking your access

iptables is default firewall on Linux. Run following command to see what iptables rules are setup:
# /sbin/iptables -L -n

You can temporary clear all iptables rules so that you can troubleshoot problem. If you are using Red Hat or Fedora Linux type command:
# /etc/init.d/iptables save
# /etc/init.d/iptables stop

If you are using other Linux distribution type following commands:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X

c) Finally make sure you are using a router and not a proxy server. Proxy servers are good for Internet browsing but not for other work such as ftp, sending ICMP request and so on.

See also:

Linux Cutting the tcp/ip network connection with cutter command

Posted on in Categories CentOS, Debian Linux, Gentoo Linux, GNU/Open source, Howto, Linux, Monitoring, Networking, RedHat/Fedora Linux last updated September 29, 2007

Recently I came across very powerful and nifty tool called cutter. Just imagine that people in your private network using peer to peer (P2P) software such as Kazaa, iMesh or others and you want to cut them or just want to cut all ftp connection over your firewall but not all traffic to host. Network security administrators sometimes need to be able to abort TCP/IP connections routed over their firewalls on demand

cutter utility

In the following sample network diagram client workstation sending ftp, http, ssh traffic using (Linux based) router to server outside our network, and you would like to cut ftp traffic without interrupting other connection? So how do you block and cut traffic? Simply, use cutter utility.

client ->    Linux firewall -> Internet --> Servers
FTP    ->  -> Internet --> FTP Server
HTTP   ->  -> Internet --> HTTP Server
SSH    ->  -> Internet --> SSH Server

Cutter is an open source program that allows Linux firewall administrators to abort TCP/IP connections routed over Linux based firewall. This tool is very handy in situation like:

  • To terminate connection such as SSH tunnels or VPNs left by your own users
  • To abort crackers attacks as soon as they detected
  • To kill high bandwidth consuming connection
  • To kill peer-to-peer traffic etc

How do I use cutter command?

Use apt-get to install cutter on a Debian / Ubuntu Linux firewall:
# apt-get install cutter

1) Login to your iptables based firewall router

2) Identify your internal connection (use netstat or tcpdump)

3) Use cutter the command as follows:
cutter {IP-address} {Port}

Cut all connections from to server
# cutter

Cut all ssh connection from to server
# cutter 22

Cut all ssh connection from to ssh server
# cutter 22

Please note that cutter has been designed for use as a administrators tool for Linux firewalls do not use this tool for malicious purpose. For more information about this tool & how actually it works by sending FIN -> ACK -> RST sequence of packets to terminate connection, see the official web site.

Update: As pointed out by Mina Naguib you can also use tcpkill command for same purpose.

Related articles:

How to: Linux flush or remove all iptables rules

Posted on in Categories Debian Linux, Howto, Iptables, Linux, Networking, RedHat/Fedora Linux, Ubuntu Linux last updated January 8, 2016

Here is a small script that does this. Debian or Ubuntu GNU/Linux does not comes with any SYS V init script (located in /etc/init.d directory). You create a script as follows and use it to stop or flush the iptables rules. Please don’t type rules at the command prompt. Use the script to speed up work.

Warning: All the commands must be executed with root privileges.

Procedure for Debian / Ubuntu Linux (Generic method)

First, create /root/fw.stop script using text editor such as vi:

echo "Stopping firewall and allowing everyone..."
## Failsafe - die if /sbin/iptables not found 
[ ! -x "$ipt" ] && { echo "$0: \"${ipt}\" command not found."; exit 1; }
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt iptables -t raw -F 
$ipt -t raw -X

Make sure you can execute the script:
# chmod +x /root/fw.stop

Run the script as root user:
# /root/fw.stop

How do I verify that my firewall rules are flushed out?

Type the following command:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

A note for RedHat (RHEL), CentOS and friends Linux user

Please note that RedHat Enterprise Linux (RHEL), Fedora and Centos Linux comes with pre-installed rc.d script, which can be used to stop the firewall, enter:
# /etc/init.d/iptables stop
# service iptables stop
Sample outputs:

A note about firewalld on CentOS 7/Fedora (latest)/RedHat Enterprise Linux 7.x+ user

Type the following command to stop and flush all rules:
# systemctl stop firewalld

Virtuozzo iptables firewall

Posted on in Categories CentOS, Howto, Iptables, Linux, RedHat/Fedora Linux last updated October 2, 2007

Recently I got chance to play with Virtuozzo VPS. Good news is they are good to reduced cost and bad news (as of Dec-04, 2004) they do not support full iptables rule set like –state and –log etc. After spending more than 4+ hrs I was able to setup simple but effective firewall on Red hat enterprise linux Virtuozzo VPS. Here is script. Make sure you customize it for your environment.