Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Thread Tools Display Modes
Old 8th November 2008, 11:35
tiamsanit tiamsanit is offline
Junior Member
Join Date: Nov 2008
Posts: 9
Thanks: 0
Thanked 1 Time in 1 Post
Default flush iptables by accident, cannot remotely connect

Hello, everyone

I have Internet server which locate at my office. Today I remote via ssh to do some maintainance but something really bad occured. I had accidentally excuse iptables -F command, which made connect to the server all cut.
Now I cannot even ping my server so my only solution is to go to the office and use console for repair, right?

My serious problem is I have no backup of IP rules so if anyone can help me to restore Iptable to its original state or default setting that suitable with ISPconfig server or any safe to deploy rules will be very appriciate.

Thanks in advance
Reply With Quote
The Following User Says Thank You to tiamsanit For This Useful Post:
david11jones (3rd June 2013)
Sponsored Links
Old 9th November 2008, 15:10
falko falko is offline
Super Moderator
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts

Have you tried to reboot the system?
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Old 29th May 2013, 20:32
cbj4074 cbj4074 is offline
Senior Member
Join Date: Nov 2010
Posts: 395
Thanks: 30
Thanked 58 Times in 50 Posts

Even though this thread is old, it is a) unresolved, and b) a very good question that deserves due attention.

We had someone do this by accident today (execute "iptables -F"); this is a worst-case, potentially-disastrous scenario. Fedora's iptables manual ( https://fedoraproject.org/wiki/How_t...Flushing_Rules ) warns of this scenario:

Default chain policys care
Be aware of the default chain policy. For example, if the INPUT policy is DROP or REJECT and the Rules are flushed, all incoming traffic will be dropped or rejected and network communication broken.
As the OP suggested, the only way to fix this is to gain physical access to the server, log-in at the keyboard, and restore the iptables configuration.

If the server is a VPS, or you lack physical access to the server, the only option is to contact whomever manages the VPS (or server hardware, if a physical server) and request that they stop the iptables service for you so that you are able to log-in long enough to repair the problem.

Once able to log into the server via SSH, create a new configuration file that will be used during restore:

# vi /root/iptables.bak
Insert the following contents into the file and save it.

(Note that these rules are from my own configuration [which is fairly standard and common], and I don't know how closely these rules mimic the ISPConfig defaults [if ISPConfig does, in fact, define any default rules]).

# Generated by iptables-save v1.4.4 on Wed May 29 10:18:39 2013
:PREROUTING ACCEPT [23540:1430549]
:POSTROUTING ACCEPT [36001:2469714]
:OUTPUT ACCEPT [36001:2469714]
# Completed on Wed May 29 10:18:39 2013
# Generated by iptables-save v1.4.4 on Wed May 29 10:18:39 2013
:PREROUTING ACCEPT [1954001:501799982]
:INPUT ACCEPT [1954001:501799982]
:OUTPUT ACCEPT [2800876:2841281138]
:POSTROUTING ACCEPT [2800876:2841281138]
# Completed on Wed May 29 10:18:39 2013
# Generated by iptables-save v1.4.4 on Wed May 29 10:18:39 2013
:OUTPUT ACCEPT [118669:13503549]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:PAROLE - [0:0]
:PUB_IN - [0:0]
:PUB_OUT - [0:0]
-A INPUT -d ! -i lo -p tcp -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s -j DROP 
-A INPUT -i eth+ -j PUB_IN 
-A INPUT -i ppp+ -j PUB_IN 
-A INPUT -i slip+ -j PUB_IN 
-A INPUT -i venet+ -j PUB_IN 
-A INPUT -i bond+ -j PUB_IN 
-A OUTPUT -o eth+ -j PUB_OUT 
-A OUTPUT -o ppp+ -j PUB_OUT 
-A OUTPUT -o slip+ -j PUB_OUT 
-A OUTPUT -o venet+ -j PUB_OUT 
-A OUTPUT -o bond+ -j PUB_OUT 
-A INT_IN -p icmp -j ACCEPT 
-A INT_OUT -p icmp -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 465 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 587 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 993 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 995 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 8443 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 24441 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 40110:40210 -j PAROLE 
-A PUB_IN -p udp -m udp --dport 53 -j ACCEPT 
-A PUB_IN -p udp -m udp --dport 3306 -j ACCEPT 
-A PUB_IN -p icmp -j DROP 
# Completed on Wed May 29 10:18:39 2013
Now, restore the rules from the file you just created using the following command:

# iptables-restore < /root/iptables.bak
Finally, start the iptables service, now that the configuration has been restored:

# service iptables start
What a nightmare! I hope this fixes the issue for those who stumble upon this thread in the future.

Last edited by cbj4074; 29th May 2013 at 20:34. Reason: Added references to documentation.
Reply With Quote
Old 30th May 2013, 21:19
TiTex TiTex is offline
Senior Member
Join Date: Aug 2011
Location: Cluj-Napoca,Romania
Posts: 125
Thanks: 0
Thanked 18 Times in 17 Posts
Send a message via Skype™ to TiTex

or you can just use a simple bash script ... like i do



# Set default policies for all three default chains

# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
$IPT -t nat --flush
$IPT -t mangle --flush
Reply With Quote
The Following User Says Thank You to TiTex For This Useful Post:
cbj4074 (31st May 2013)


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail Question: installed smf forum on centos perfect server setup with ispconfig happz Installation/Configuration 7 22nd August 2008 14:15
Getting e-mail working hansoffate Installation/Configuration 29 13th August 2008 17:33
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 22:23
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 22:42
Perfect Xen 3.0 setup for Debian gurneyzap HOWTO-Related Questions 4 26th March 2006 12:30

All times are GMT +2. The time now is 01:57.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.