2

I'm running a VPS, and would like to reset the iptables' rules to its fresh-out-of-the-box default state. These are the commands I've come up with:

#!/bin/sh
echo "Resetting all iptables rules..."

#Reset default table policies
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#Reset nat table policies
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P INPUT ACCEPT
iptables -t nat -P OUTPUT ACCEPT

#Reset mangle table policies
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT 
iptables -t mangle -P FORWARD ACCEPT

#Reset raw table policies
iptables -t raw -P PREROUTING ACCEPT
iptables -t raw -P OUTPUT ACCEPT

#Flush all rules and delete empty chains
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X

QUESTIONS:

  1. Are these rules comprehensive enough? I've messed with my iptables and I just want to start from a clean slate.

  2. Will I be locked out of my VPS if I reboot?

  3. Do I need to use the -Z command on every table to zero the packet and byte counters on all rules in a chain? E.g. "iptables -t nat -Z" (and repeat the same for all other tables)?

Thanks!

Honey Badger
  • 809
  • 3
  • 11
  • 15
  • 1
    I suggest you install Linux on a virtual machine on your desktop computer, and learn how to use IPTables there. Doing remote firewall work is _not_ safe unless you have a second connection for out-of-band management. – pauska Apr 18 '13 at 11:08
  • @pauska, could you please elaborate on the "not safe" part? Thanks! – Honey Badger Apr 18 '13 at 11:12
  • 2
    "Will I be locked out of my VPS if I reboot?" <- that – pauska Apr 18 '13 at 11:22
  • 1
    By the way, HB, you might want to have a small answer-acceptance festival at some point; you're beginning to pile up questions with answers, and no acceptances. – MadHatter Apr 18 '13 at 12:27

1 Answers1

4

  1. I think those are pretty good; I can offhand think of no rule that would escape that pruning.

  2. It depends. What are your current arrangements for rules on reboot? If they amount to DROPping everything, then yes, you'll lock yourself out. The script you've shown above is lovely (see 1.), but it's not going to magically be run on reboot.

  3. It depends whether you want the counters to be zeroed or not.

As for not getting locked out, I agree with pauska that doing remote firewall work can be tricky. That's why, before I commit any change I've made to a remote system's firewalls, I do

# at now+5min
at> service iptables stop
at> ^D

If the changes I then commit lock me out, well, I'll be OK to get back in in five minutes. If they don't, I can use atrm to remove the job I just submitted. It's saved my bum a few times! (NB: that service command is good for Red Hat Linuces, you may need to find an equivalent for other unices.)

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • 1
    For safely iptables apply, you can use iptables-apply, who will try to apply your rules and then ask you if you are ok. If you say yes (then you have connection) the rules will be apply, if not the work will be undo. – Brigo Apr 18 '13 at 12:01
  • I love UNIX, there's always more than one *good* way to do the job! Thanks, Brigo. – MadHatter Apr 18 '13 at 12:03