Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 8th November 2008, 10:35
tiamsanit tiamsanit is offline
Junior Member
 
Join Date: Nov 2008
Posts: 9
Thanks: 0
Thanked 1 Time in 1 Post
Default flush iptables by accident, cannot remotely connect

Hello, everyone

I have Internet server which locate at my office. Today I remote via ssh to do some maintainance but something really bad occured. I had accidentally excuse iptables -F command, which made connect to the server all cut.
Now I cannot even ping my server so my only solution is to go to the office and use console for repair, right?

My serious problem is I have no backup of IP rules so if anyone can help me to restore Iptable to its original state or default setting that suitable with ISPconfig server or any safe to deploy rules will be very appriciate.

Thanks in advance
Reply With Quote
The Following User Says Thank You to tiamsanit For This Useful Post:
david11jones (3rd June 2013)
Sponsored Links
  #2  
Old 9th November 2008, 14:10
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Have you tried to reboot the system?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 29th May 2013, 19:32
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 392
Thanks: 29
Thanked 58 Times in 50 Posts
Default

Even though this thread is old, it is a) unresolved, and b) a very good question that deserves due attention.

We had someone do this by accident today (execute "iptables -F"); this is a worst-case, potentially-disastrous scenario. Fedora's iptables manual ( https://fedoraproject.org/wiki/How_t...Flushing_Rules ) warns of this scenario:

Quote:
Default chain policys care
Be aware of the default chain policy. For example, if the INPUT policy is DROP or REJECT and the Rules are flushed, all incoming traffic will be dropped or rejected and network communication broken.
As the OP suggested, the only way to fix this is to gain physical access to the server, log-in at the keyboard, and restore the iptables configuration.

If the server is a VPS, or you lack physical access to the server, the only option is to contact whomever manages the VPS (or server hardware, if a physical server) and request that they stop the iptables service for you so that you are able to log-in long enough to repair the problem.

Once able to log into the server via SSH, create a new configuration file that will be used during restore:

Code:
# vi /root/iptables.bak
Insert the following contents into the file and save it.

(Note that these rules are from my own configuration [which is fairly standard and common], and I don't know how closely these rules mimic the ISPConfig defaults [if ISPConfig does, in fact, define any default rules]).

Code:
# Generated by iptables-save v1.4.4 on Wed May 29 10:18:39 2013
*nat
:PREROUTING ACCEPT [23540:1430549]
:POSTROUTING ACCEPT [36001:2469714]
:OUTPUT ACCEPT [36001:2469714]
COMMIT
# Completed on Wed May 29 10:18:39 2013
# Generated by iptables-save v1.4.4 on Wed May 29 10:18:39 2013
*mangle
:PREROUTING ACCEPT [1954001:501799982]
:INPUT ACCEPT [1954001:501799982]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2800876:2841281138]
:POSTROUTING ACCEPT [2800876:2841281138]
COMMIT
# Completed on Wed May 29 10:18:39 2013
# Generated by iptables-save v1.4.4 on Wed May 29 10:18:39 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [118669:13503549]
:INT_IN - [0:0]
:INT_OUT - [0:0]
:PAROLE - [0:0]
:PUB_IN - [0:0]
:PUB_OUT - [0:0]
-A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 224.0.0.0/4 -j DROP 
-A INPUT -i eth+ -j PUB_IN 
-A INPUT -i ppp+ -j PUB_IN 
-A INPUT -i slip+ -j PUB_IN 
-A INPUT -i venet+ -j PUB_IN 
-A INPUT -i bond+ -j PUB_IN 
-A INPUT -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j DROP 
-A OUTPUT -o eth+ -j PUB_OUT 
-A OUTPUT -o ppp+ -j PUB_OUT 
-A OUTPUT -o slip+ -j PUB_OUT 
-A OUTPUT -o venet+ -j PUB_OUT 
-A OUTPUT -o bond+ -j PUB_OUT 
-A INT_IN -p icmp -j ACCEPT 
-A INT_IN -j DROP 
-A INT_OUT -p icmp -j ACCEPT 
-A INT_OUT -j ACCEPT 
-A PAROLE -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 465 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 587 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 993 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 995 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 8443 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 24441 -j PAROLE 
-A PUB_IN -p tcp -m tcp --dport 40110:40210 -j PAROLE 
-A PUB_IN -p udp -m udp --dport 53 -j ACCEPT 
-A PUB_IN -p udp -m udp --dport 3306 -j ACCEPT 
-A PUB_IN -p icmp -j DROP 
-A PUB_IN -j DROP 
-A PUB_OUT -j ACCEPT 
COMMIT
# Completed on Wed May 29 10:18:39 2013
Now, restore the rules from the file you just created using the following command:

Code:
# iptables-restore < /root/iptables.bak
Finally, start the iptables service, now that the configuration has been restored:

Code:
# service iptables start
What a nightmare! I hope this fixes the issue for those who stumble upon this thread in the future.

Last edited by cbj4074; 29th May 2013 at 19:34. Reason: Added references to documentation.
Reply With Quote
  #4  
Old 30th May 2013, 20:19
TiTex TiTex is offline
Senior Member
 
Join Date: Aug 2011
Location: Cluj-Napoca,Romania
Posts: 125
Thanks: 0
Thanked 18 Times in 17 Posts
Send a message via Skype™ to TiTex
 
Default

or you can just use a simple bash script ... like i do

reset_fw
Code:
#!/bin/sh

IPT="/sbin/iptables"

# Set default policies for all three default chains
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
$IPT -t nat --flush
$IPT -t mangle --flush
Reply With Quote
The Following User Says Thank You to TiTex For This Useful Post:
cbj4074 (31st May 2013)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail Question: installed smf forum on centos perfect server setup with ispconfig happz Installation/Configuration 7 22nd August 2008 13:15
Getting e-mail working hansoffate Installation/Configuration 29 13th August 2008 16:33
IPtables rule to let PPTP access LAN brianwebb01 Installation/Configuration 0 1st May 2008 21:23
configuring IPTABLES firewall adityavpratap HOWTO-Related Questions 9 27th May 2006 21:42
Perfect Xen 3.0 setup for Debian gurneyzap HOWTO-Related Questions 4 26th March 2006 11:30


All times are GMT +2. The time now is 15:38.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.