Scenario / Questions
How can I start/stop the iptables service on Ubuntu?
I have tried
service iptables stop
but it is giving “unrecognized service”.
Why is it doing so? Is there any other method?
Find below all possible solutions or suggestions for the above questions..
Suggestion: 1:
I don’t know about “Ubuntu”, but in Linux generally, “iptables” isn’t a service – it’s a command to manipulate the netfilter kernel firewall. You can “disable” (or stop) the firewall by setting the default policies on all standard chains to “ACCEPT”, and flushing the rules.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
(You may need to flush other tables, too, such as “nat”, if you’ve used them)
The following article on the Ubuntu website describes setting up iptables for use with NetworkManager: https://help.ubuntu.com/community/IptablesHowTo
Suggestion: 2:
You are all wrong 🙂
The command you are looking for is:
$ sudo ufw disable
Suggestion: 3:
I would first check if it is installed with (it probably is):
dpkg -l | grep iptables
On Ubuntu, iptables is not a service.
In order to stop it, you have to do the following :
sudo iptables-save > /root/firewall.rules
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
In order to restore your previous rules :
iptables-restore < /root/firewall.rules
This was taken from http://www.cyberciti.biz/faq/turn-on-turn-off-firewall-in-linux/ and was tested on many Ubuntu 8.X & 9.10 installations.
Suggestion: 4:
Iptables is a command it’s not a service, so generally it’s not possible to use commands like
service iptables start
or
service iptables stop
in order to start and stop the firewall, but some distros like centos have installed a service called iptables to start and stop the firewall and a configuration file to configure it.
Anyway it’s possible to make a service to manage ipotables editing or installing a script for this scope.
All services in linux, ubuntu is not an exception, are executable scripts inside /etc/init.d folder, that implements a standard interface (start,stop,restart)
A possible script looks like this:
#!/bin/sh -e
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: mountvirtfs ifupdown $local_fs
# Default-Start: S
# Default-Stop: 0 6
### END INIT INFO
# July 9, 2007
# James B. Crocker <ubuntu@james.crocker.name>
# Creative Commons Attribution - Share Alike 3.0 License (BY,SA)
# Script to load/unload/save iptables firewall settings.
PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
IPTABLES_RESTORE=/sbin/iptables-restore
IPTABLES_CONFIG=/etc/iptables.conf
[ -x $IPTABLES ] || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
log_action_begin_msg "Starting firewall"
type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 120" || true
if $IPTABLES_RESTORE < $IPTABLES_CONFIG ; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 15" || true
;;
stop)
log_action_begin_msg "Saving current firewall configuration"
if $IPTABLES_SAVE > $IPTABLES_CONFIG ; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
log_action_begin_msg "Flushing ALL firewall rules from chains!"
if $IPTABLES -F ; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
log_action_begin_msg "Deleting ALL firewall chains [Warning: ACCEPTING ALL PORT SERVICES!]"
if $IPTABLES -X ; then
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
log_action_end_msg $?
else
log_action_end_msg $?
fi
;;
save)
log_action_begin_msg "Saving current firewall configuration"
if $IPTABLES_SAVE > $IPTABLES_CONFIG ; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
;;
force-reload|restart)
log_action_begin_msg "Reloading firewall configuration [Warning: POTENTIAL NETWORK INSECURITY DURING RELOAD]"
$IPTABLES -F
$IPTABLES -X
if $IPTABLES_RESTORE < $IPTABLES_CONFIG ; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop|save|restart|force-reload}"
exit 1
;;
esac
exit 0
This script is part of this tutorial, all the commands to configure the firewall must be inserted, according to the script above, into /etc/iptables.conf file.
This script must be inserted into a file called iptables in /etc/init.d and make it executable using
chmod+x *iptables*
and add the service to runlevels using
update-rc.d iptables defaults
You can add new rules from shell, these rules will be immediatly active and will be added to /etc/iptables.conf when service stops(it means them will be saved for sure when system shutdown).
I hope this will be helpful to everyone.
Suggestion: 5:
Because both iptables and ufw are ways to manage the netfilter firewall in Linux, and because both are available by default in Ubuntu, you can use either to start and stop (and manage) firewall rules.
iptables is more flexible, but because ufw provides a very simple interface language for simple and typical function you can use:
sudo ufw disable # To disable the firewall
sudo ufw enable # To enable the firewall
To see current firewall settings use sudo ufw status verbose, or iptables -L .
The Ubuntu Community docs pages on iptables and UFW have a great deal more info.
Suggestion: 6:
Looks like there several ways to manage firewall in Ubuntu, so you may be interested in reading this: https://help.ubuntu.com/community/IptablesHowTo#Configuration%20on%20startup
To drop all current rules you can use these commands (put them in some script):
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -F
iptables -t filter -X
In usual case, your default firewall rules saved in some file (for example, /etc/iptables.rules). While booting system command iptables-restore </etc/iptables.rules executed to load firewall rules. So, executing same command after you dropped all rules using above commands will result in “reloading firewall” which you asked for.
Suggestion: 7:
If I recall correctly the suggested way to set up iptables in the ubuntu guides is to set it up as part of the networking scripts. which means there is no /etc/init.d/iptables script like there is in BSD style OS’s.
Suggestion: 8:
Create a file on /etc/init.d/
touch fw.rc
Make the file executable chmod +x
Make a symlink to that file on /etc/rc2.d/
ln -s /etc/init.d/fw.rc S80firewall
Edit S80firewall and add the following
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F
You can add all your custom iptables rules on this file
Now you can restart firewall (iptables) by running /etc/rc2.d/S80firewall (must be root)
Suggestion: 9:
I had the same issue.
In fact, there was no iptables-persistent in /etc/init.d
So, I created the iptables-persistent file in /etc/init.d
nano /etc/init.d/iptables-persistent
and wrote the following inside:
#!/bin/sh
# Written by Simon Richter <sjr@debian.org>
# modified by Jonathan Wiltshire <jmw@debian.org>
# with help from Christoph Anton Mitterer
#
### BEGIN INIT INFO
# Provides: iptables-persistent
# Required-Start: mountkernfs $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# X-Start-Before: $network
# X-Stop-After: $network
# Short-Description: Set up iptables rules
# Description: Loads/saves current iptables rules from/to /etc/iptables
# to provide a persistent rule set during boot time
### END INIT INFO
. /lib/lsb/init-functions
rc=0
load_rules()
{
log_action_begin_msg "Loading iptables rules"
#load IPv4 rules
if [ ! -f /etc/iptables/rules.v4 ]; then
log_action_cont_msg " skipping IPv4 (no rules to load)"
else
log_action_cont_msg " IPv4"
iptables-restore < /etc/iptables/rules.v4 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
#load IPv6 rules
if [ ! -f /etc/iptables/rules.v6 ]; then
log_action_cont_msg " skipping IPv6 (no rules to load)"
else
log_action_cont_msg " IPv6"
ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
log_action_end_msg $rc
}
save_rules()
{
log_action_begin_msg "Saving rules"
#save IPv4 rules
#need at least iptable_filter loaded:
/sbin/modprobe -q iptable_filter
if [ ! -f /proc/net/ip_tables_names ]; then
log_action_cont_msg " skipping IPv4 (no modules loaded)"
elif [ -x /sbin/iptables-save ]; then
log_action_cont_msg " IPv4"
iptables-save > /etc/iptables/rules.v4
if [ $? -ne 0 ]; then
rc=1
fi
fi
#save IPv6 rules
#need at least ip6table_filter loaded:
/sbin/modprobe -q ip6table_filter
if [ ! -f /proc/net/ip6_tables_names ]; then
log_action_cont_msg " skipping IPv6 (no modules loaded)"
elif [ -x /sbin/ip6tables-save ]; then
log_action_cont_msg " IPv6"
ip6tables-save > /etc/iptables/rules.v6
if [ $? -ne 0 ]; then
rc=1
fi
fi
log_action_end_msg $rc
}
flush_rules()
{
log_action_begin_msg "Flushing rules"
if [ ! -f /proc/net/ip_tables_names ]; then
log_action_cont_msg " skipping IPv4 (no module loaded)"
elif [ -x /sbin/iptables ]; then
log_action_cont_msg " IPv4"
for param in F Z X; do /sbin/iptables -$param; done
for table in $(cat /proc/net/ip_tables_names)
do
/sbin/iptables -t $table -F
/sbin/iptables -t $table -Z
/sbin/iptables -t $table -X
done
for chain in INPUT FORWARD OUTPUT
do
/sbin/iptables -P $chain ACCEPT
done
fi
if [ ! -f /proc/net/ip6_tables_names ]; then
log_action_cont_msg " skipping IPv6 (no module loaded)"
elif [ -x /sbin/ip6tables ]; then
log_action_cont_msg " IPv6"
for param in F Z X; do /sbin/ip6tables -$param; done
for table in $(cat /proc/net/ip6_tables_names)
do
/sbin/ip6tables -t $table -F
/sbin/ip6tables -t $table -Z
/sbin/ip6tables -t $table -X
done
for chain in INPUT FORWARD OUTPUT
do
/sbin/ip6tables -P $chain ACCEPT
done
fi
log_action_end_msg 0
}
case "$1" in
start|restart|reload|force-reload)
load_rules
;;
save)
save_rules
;;
stop)
# Why? because if stop is used, the firewall gets flushed for a variable
# amount of time during package upgrades, leaving the machine vulnerable
# It's also not always desirable to flush during purge
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
;;
flush)
flush_rules
;;
*)
echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
exit 1
;;
esac
exit $rc
and then gave chmod 755 permission.
chmod 755 /etc/init.d/iptables-persistent
Now it works perfectly! Hope it can help someone.
Suggestion: 10:
If you’re running Ubuntu server as a VM guest (e.g. in VirtualBox) then libvirt may be enabled. If so libvirt contains some in-built network filters which utilise iptables. These filters may be configured as described in the firewall section on nwfilters.
To disable the iptables rules you’ll either need to remove all offending rules from libvirt, or you can just disable libvirt if you’re not using it – e.g. install a manual override config (then reboot):
sudo bash -c 'echo "manual" > /etc/init/libvirt-bin.override'
Suggestion: 11:
You’re using the command that’s appropriate for RedHat and CentOS, not Ubuntu or Debian.
http://www.cyberciti.biz/faq/ubuntu-server-disable-firewall/
Suggestion: 12:
There is none by default, but in recent debian derivatives (including Ubuntu) you can install a service to manage iptables:
sudo apt install iptables-persistent
You can then load previously saved rules:
systemctl start netfilter-persistent
Review what happened:
systemctl status netfilter-persistent
netfilter-persistent.service - netfilter persistent configuration
Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled; vendor preset: enabled)
Active: active (exited) since Sun 2019-03-24 10:49:50 IST; 16min ago
Main PID: 1674 (code=exited, status=0/SUCCESS)
Tasks: 0
Memory: 0B
CPU: 0
CGroup: /system.slice/netfilter-persistent.service
Mar 24 10:49:50 ubuntu systemd[1]: Starting netfilter persistent configuration...
Mar 24 10:49:50 ubuntu netfilter-persistent[1674]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables start
Mar 24 10:49:50 ubuntu netfilter-persistent[1674]: Warning: skipping IPv4 (no rules to load)
Mar 24 10:49:50 ubuntu netfilter-persistent[1674]: run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables start
Mar 24 10:49:50 ubuntu netfilter-persistent[1674]: Warning: skipping IPv6 (no rules to load)
Mar 24 10:49:50 ubuntu systemd[1]: Started netfilter persistent configuration.
Mar 24 11:02:49 ubuntu systemd[1]: Started netfilter persistent configuration.
Or stop the service:
systemctl stop netfilter-persistent
Stopping the service will, by default, not flush iptables (i.e. will not disable the firewall, see man netfilter-persistent).
Disclaimer: This has been sourced from a third party syndicated feed through internet. We are not responsibility or liability for its dependability, trustworthiness, reliability and data of the text. We reserves the sole right to alter, delete or remove (without notice) the content in its absolute discretion for any reason whatsoever.
SITE MOVED TO NEW DOMAIN WITH LOT OF MORE LEARNING MATERIALS – FIXYACLOUD.COM 