Here’s an explanation of how to disable iptables/ip6tables or clear iptables/ip6tables policies.
The followings are default iptables/ip6tables policy settings on CentOS 6.iptables
| # iptables -L –n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination |
ip6tables
# ip6tables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all ::/0 ::/0 state RELATED,ESTABLISHED
ACCEPT icmpv6 ::/0 ::/0
ACCEPT all ::/0 ::/0
ACCEPT tcp ::/0 ::/0 state NEW tcp dpt:22
REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
[ clear iptables/ip6tables policies temporarily ]
flush iptables/ip6tables configuration.
# iptables –F
# ip6tables –F
|
# iptables -L –n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# ip6tables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
If you restart iptables , ip6tables or OS , the iptables policy will go back to the default settings.
Because iptables/ip6tables loads /etc/sysconfig/iptables , /etc/sysconfig/ip6tables file when booting.
# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
|
# cat /etc/sysconfig/ip6tables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
|
iptables loads /etc/sysconfig/iptables when booting OS or restarting iptables.
# /etc/init.d/iptables restart
|
# iptables -L –n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
[ disable iptables/ip6tables permanently ]
1. stop iptables/ip6tables process permanently
# /etc/init.d/iptables stop
# /etc/init.d/ip6tables stop
# chkconfig iptables off
# chkconfig ip6tables off
|
2. apply “permit any” policy. ( don’t disable iptables process )
back up the current configuration
# pwd
/etc/sysconfig
# cp iptables org.iptables
# cp ip6tables org.ip6tables
|
delete policies
# echo > iptables
# echo > ip6tables
|
restart iptables/ip6tables
# /etc/init.d/iptables restart
# /etc/init.d/ip6tables restart
|
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# ip6tables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
#
|
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.