I don't know about "Ubuntu", but in Linux generally, "iptables" isn't a service - it's a command to manipulate the netfilter kernel firewall. You can "disable" (or stop) the firewall by setting the default policies on all standard chains to "ACCEPT", and flushing the rules.
Iptables is a command it's not a service, so generally it's not possible to use commands like
service iptables start
or
service iptables stop
in order to start and stop the firewall, but some distros like centos have installed a service called iptables to start and stop the firewall and a configuration file to configure it.
Anyway it's possible to make a service to manage ipotables editing or installing a script for this scope.
All services in linux, ubuntu is not an exception, are executable scripts inside /etc/init.d folder, that implements a standard interface (start,stop,restart)
A possible script looks like this:
#!/bin/sh -e
### BEGIN INIT INFO
# Provides: iptables
# Required-Start: mountvirtfs ifupdown $local_fs
# Default-Start: S
# Default-Stop: 0 6
### END INIT INFO
# July 9, 2007
# James B. Crocker <[email protected]>
# Creative Commons Attribution - Share Alike 3.0 License (BY,SA)
# Script to load/unload/save iptables firewall settings.
PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
IPTABLES_RESTORE=/sbin/iptables-restore
IPTABLES_CONFIG=/etc/iptables.conf
[ -x $IPTABLES ] || exit 0
. /lib/lsb/init-functions
case "$1" in
start)
log_action_begin_msg "Starting firewall"
type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 120" || true
if $IPTABLES_RESTORE < $IPTABLES_CONFIG ; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
type usplash_write >/dev/null 2>/dev/null && usplash_write "TIMEOUT 15" || true
;;
stop)
log_action_begin_msg "Saving current firewall configuration"
if $IPTABLES_SAVE > $IPTABLES_CONFIG ; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
log_action_begin_msg "Flushing ALL firewall rules from chains!"
if $IPTABLES -F ; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
log_action_begin_msg "Deleting ALL firewall chains [Warning: ACCEPTING ALL PORT SERVICES!]"
if $IPTABLES -X ; then
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
log_action_end_msg $?
else
log_action_end_msg $?
fi
;;
save)
log_action_begin_msg "Saving current firewall configuration"
if $IPTABLES_SAVE > $IPTABLES_CONFIG ; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
;;
force-reload|restart)
log_action_begin_msg "Reloading firewall configuration [Warning: POTENTIAL NETWORK INSECURITY DURING RELOAD]"
$IPTABLES -F
$IPTABLES -X
if $IPTABLES_RESTORE < $IPTABLES_CONFIG ; then
log_action_end_msg $?
else
log_action_end_msg $?
fi
;;
*)
echo "Usage: /etc/init.d/iptables {start|stop|save|restart|force-reload}"
exit 1
;;
esac
exit 0
This script is part of this tutorial, all the commands to configure the firewall must be inserted, according to the script above, into /etc/iptables.conf file.
This script must be inserted into a file called iptables in /etc/init.d and make it executable using
chmod+x *iptables*
and add the service to runlevels using
update-rc.d iptables defaults
You can add new rules from shell, these rules will be immediatly active and will be added to /etc/iptables.conf when service stops(it means them will be saved for sure when system shutdown).
Because both iptables and ufw are ways to manage the netfilter firewall in Linux, and because both are available by default in Ubuntu, you can use either to start and stop (and manage) firewall rules.
iptables is more flexible, but because ufw provides a very simple interface language for simple and typical function you can use:
sudo ufw disable # To disable the firewall
sudo ufw enable # To enable the firewall
To see current firewall settings use sudo ufw status verbose, or iptables -L .
The Ubuntu Community docs pages on iptables and UFW have a great deal more info.
In usual case, your default firewall rules saved in some file (for example, /etc/iptables.rules). While booting system command iptables-restore </etc/iptables.rules executed to load firewall rules. So, executing same command after you dropped all rules using above commands will result in "reloading firewall" which you asked for.
If I recall correctly the suggested way to set up iptables in the ubuntu guides is to set it up as part of the networking scripts. which means there is no /etc/init.d/iptables script like there is in BSD style OS's.
I had the same issue.
In fact, there was no iptables-persistent in /etc/init.d
So, I created the iptables-persistent file in /etc/init.d
nano /etc/init.d/iptables-persistent
and wrote the following inside:
#!/bin/sh
# Written by Simon Richter <[email protected]>
# modified by Jonathan Wiltshire <[email protected]>
# with help from Christoph Anton Mitterer
#
### BEGIN INIT INFO
# Provides: iptables-persistent
# Required-Start: mountkernfs $local_fs
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# X-Start-Before: $network
# X-Stop-After: $network
# Short-Description: Set up iptables rules
# Description: Loads/saves current iptables rules from/to /etc/iptables
# to provide a persistent rule set during boot time
### END INIT INFO
. /lib/lsb/init-functions
rc=0
load_rules()
{
log_action_begin_msg "Loading iptables rules"
#load IPv4 rules
if [ ! -f /etc/iptables/rules.v4 ]; then
log_action_cont_msg " skipping IPv4 (no rules to load)"
else
log_action_cont_msg " IPv4"
iptables-restore < /etc/iptables/rules.v4 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
#load IPv6 rules
if [ ! -f /etc/iptables/rules.v6 ]; then
log_action_cont_msg " skipping IPv6 (no rules to load)"
else
log_action_cont_msg " IPv6"
ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
log_action_end_msg $rc
}
save_rules()
{
log_action_begin_msg "Saving rules"
#save IPv4 rules
#need at least iptable_filter loaded:
/sbin/modprobe -q iptable_filter
if [ ! -f /proc/net/ip_tables_names ]; then
log_action_cont_msg " skipping IPv4 (no modules loaded)"
elif [ -x /sbin/iptables-save ]; then
log_action_cont_msg " IPv4"
iptables-save > /etc/iptables/rules.v4
if [ $? -ne 0 ]; then
rc=1
fi
fi
#save IPv6 rules
#need at least ip6table_filter loaded:
/sbin/modprobe -q ip6table_filter
if [ ! -f /proc/net/ip6_tables_names ]; then
log_action_cont_msg " skipping IPv6 (no modules loaded)"
elif [ -x /sbin/ip6tables-save ]; then
log_action_cont_msg " IPv6"
ip6tables-save > /etc/iptables/rules.v6
if [ $? -ne 0 ]; then
rc=1
fi
fi
log_action_end_msg $rc
}
flush_rules()
{
log_action_begin_msg "Flushing rules"
if [ ! -f /proc/net/ip_tables_names ]; then
log_action_cont_msg " skipping IPv4 (no module loaded)"
elif [ -x /sbin/iptables ]; then
log_action_cont_msg " IPv4"
for param in F Z X; do /sbin/iptables -$param; done
for table in $(cat /proc/net/ip_tables_names)
do
/sbin/iptables -t $table -F
/sbin/iptables -t $table -Z
/sbin/iptables -t $table -X
done
for chain in INPUT FORWARD OUTPUT
do
/sbin/iptables -P $chain ACCEPT
done
fi
if [ ! -f /proc/net/ip6_tables_names ]; then
log_action_cont_msg " skipping IPv6 (no module loaded)"
elif [ -x /sbin/ip6tables ]; then
log_action_cont_msg " IPv6"
for param in F Z X; do /sbin/ip6tables -$param; done
for table in $(cat /proc/net/ip6_tables_names)
do
/sbin/ip6tables -t $table -F
/sbin/ip6tables -t $table -Z
/sbin/ip6tables -t $table -X
done
for chain in INPUT FORWARD OUTPUT
do
/sbin/ip6tables -P $chain ACCEPT
done
fi
log_action_end_msg 0
}
case "$1" in
start|restart|reload|force-reload)
load_rules
;;
save)
save_rules
;;
stop)
# Why? because if stop is used, the firewall gets flushed for a variable
# amount of time during package upgrades, leaving the machine vulnerable
# It's also not always desirable to flush during purge
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
;;
flush)
flush_rules
;;
*)
echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
exit 1
;;
esac
exit $rc
If you're running Ubuntu server as a VM guest (e.g. in VirtualBox) then libvirt may be enabled. If so libvirt contains some in-built network filters which utilise iptables. These filters may be configured as described in the firewall section on nwfilters.
To disable the iptables rules you'll either need to remove all offending rules from libvirt, or you can just disable libvirt if you're not using it - e.g. install a manual override config (then reboot):
I don't know about "Ubuntu", but in Linux generally, "iptables" isn't a service - it's a command to manipulate the netfilter kernel firewall. You can "disable" (or stop) the firewall by setting the default policies on all standard chains to "ACCEPT", and flushing the rules.
(You may need to flush other tables, too, such as "nat", if you've used them)
The following article on the Ubuntu website describes setting up iptables for use with NetworkManager: https://help.ubuntu.com/community/IptablesHowTo
You are all wrong :-)
The command you are looking for is:
I would first check if it is installed with (it probably is):
On Ubuntu, iptables is not a service. In order to stop it, you have to do the following :
In order to restore your previous rules :
This was taken from http://www.cyberciti.biz/faq/turn-on-turn-off-firewall-in-linux/ and was tested on many Ubuntu 8.X & 9.10 installations.
Iptables is a command it's not a service, so generally it's not possible to use commands like
or
in order to start and stop the firewall, but some distros like centos have installed a service called iptables to start and stop the firewall and a configuration file to configure it. Anyway it's possible to make a service to manage ipotables editing or installing a script for this scope. All services in linux, ubuntu is not an exception, are executable scripts inside /etc/init.d folder, that implements a standard interface (start,stop,restart) A possible script looks like this:
This script is part of this tutorial, all the commands to configure the firewall must be inserted, according to the script above, into /etc/iptables.conf file. This script must be inserted into a file called iptables in /etc/init.d and make it executable using
and add the service to runlevels using
You can add new rules from shell, these rules will be immediatly active and will be added to /etc/iptables.conf when service stops(it means them will be saved for sure when system shutdown).
I hope this will be helpful to everyone.
Because both iptables and ufw are ways to manage the netfilter firewall in Linux, and because both are available by default in Ubuntu, you can use either to start and stop (and manage) firewall rules.
iptables is more flexible, but because ufw provides a very simple interface language for simple and typical function you can use:
sudo ufw disable# To disable the firewallsudo ufw enable# To enable the firewallTo see current firewall settings use
sudo ufw status verbose, oriptables -L.The Ubuntu Community docs pages on iptables and UFW have a great deal more info.
Looks like there several ways to manage firewall in Ubuntu, so you may be interested in reading this: https://help.ubuntu.com/community/IptablesHowTo#Configuration%20on%20startup
To drop all current rules you can use these commands (put them in some script):
In usual case, your default firewall rules saved in some file (for example, /etc/iptables.rules). While booting system command
iptables-restore </etc/iptables.rulesexecuted to load firewall rules. So, executing same command after you dropped all rules using above commands will result in "reloading firewall" which you asked for.If I recall correctly the suggested way to set up iptables in the ubuntu guides is to set it up as part of the networking scripts. which means there is no /etc/init.d/iptables script like there is in BSD style OS's.
Create a file on /etc/init.d/
Make the file executable chmod +x
Make a symlink to that file on /etc/rc2.d/
Edit S80firewall and add the following
You can add all your custom iptables rules on this file
Now you can restart firewall (iptables) by running /etc/rc2.d/S80firewall (must be root)
I had the same issue. In fact, there was no iptables-persistent in
/etc/init.dSo, I created the iptables-persistent file in
/etc/init.dand wrote the following inside:
and then gave chmod 755 permission.
Now it works perfectly! Hope it can help someone.
If you're running Ubuntu server as a VM guest (e.g. in VirtualBox) then libvirt may be enabled. If so libvirt contains some in-built network filters which utilise iptables. These filters may be configured as described in the firewall section on nwfilters.
To disable the iptables rules you'll either need to remove all offending rules from libvirt, or you can just disable libvirt if you're not using it - e.g. install a manual override config (then reboot):