Turning an iptables Firewall Off
Turning on your firewall is easy, just run the fw_nat script. But you also want an easy way to turn it off. This will allow you to quickly determine if a problem is caused by the firewall, and to make and test changes easily.
Use the following script, which call /usr/local/bin/fw_flush. This example deletes all the rules in the filter, NAT, and mangle tables; all chains; and resets all packet and byte counters to zero. It also resets all the default policies to ACCEPT (so that nothing is blocked), and turns off forwarding. It's like having no firewall at all:
#!/bin/sh ##/usr/local/bin/fw_flush #flush script, which deletes all active rules #and chains, and resets default policies to "accept" #this is like having no firewall at all #define variables ipt="/sbin/iptables" echo "The firewall is now being shut down. All policies are set to ACCEPT, all rules and chains are deleted, all counters are set to zero." #Set default policies to ACCEPT everything $ipt -P INPUT ACCEPT $ipt -P FORWARD ACCEPT $ipt -P OUTPUT ACCEPT $ipt -t nat -P OUTPUT ACCEPT $ipt -t nat -P PREROUTING ACCEPT $ipt -t nat -P POSTROUTING ACCEPT $ipt -t mangle -P INPUT ACCEPT $ipt -t mangle -P OUTPUT ACCEPT $ipt -t mangle -P FORWARD ACCEPT $ipt -t mangle -P PREROUTING ACCEPT $ipt -t mangle -P POSTROUTING ACCEPT #Zero out all counters $ipt -Z $ipt -t nat -Z $ipt -t mangle -Z # Flush all rules, delete all chains $ipt -F $ipt -X $ipt -t nat -F $ipt -t nat -X $ipt -t mangle -F $ipt -t mangle -X
Remember to make this script owned by root only, mode 0700. Run this anytime you want to turn your firewall off:
# fw_flush The firewall is now being shut down. All policies are set to ACCEPT, all rules and chains are deleted, all counters are set to zero, and routing is turned off.
This leaves you wide open, so you should not be connected to untrusted networks.
iptables is not a daemon, so turning off an iptables firewall is complicated. Rules are loaded into memory. If you just flush all the rules, your default policies will still be active, and as the default policy is usually DROP, no traffic will get through. So, the easy way is to use a script like the one in this section, which flushes all rules and sets the defaults to ACCEPT.
If you have no firewall scripts activated at boot, rebooting really turns the firewall off-kernel modules are unloaded, and no iptables rules of any kind remain in memory.
In this tutorial:
- Building a Linux Firewall
- Iptables and NAT, SNAT, and DNAT
- iptables
- Assembling a Linux Firewall Box
- Configuring Network Interface Cards on Debian
- Configuring Network Interface Cards on Fedora
- Identifying Which NIC Is Which
- Building an Internet-Connection Sharing Firewall on a Dynamic WAN IP Address
- Building an Internet-Connection Sharing Firewall on a Static WAN IP Address
- Displaying the Status of Your Firewall
- Turning an iptables Firewall Off
- Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down
- Testing Your Firewall
- Configuring the Firewall for Remote SSH Administration
- Allowing Remote SSH Through a NAT Firewall
- Multiple SSH Host Keys Past NAT
- Running Public Services on Private IP Addresses
- Setting Up a Single-Host Firewall
- Setting Up a Server Firewall
- Configuring iptables Logging
- Writing Egress Rules