{"id":1091,"date":"2015-02-09T01:34:26","date_gmt":"2015-02-09T01:34:26","guid":{"rendered":"https:\/\/trouble.org\/?p=1091"},"modified":"2015-02-09T01:34:26","modified_gmt":"2015-02-09T01:34:26","slug":"really-really-really-nuke-iptables","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=1091","title":{"rendered":"really, really, really nuke iptables"},"content":{"rendered":"
\"nukem<\/a>
nuke it from orbit, it’s the only way to be sure<\/figcaption><\/figure>\n

I think this is the way to really clear out all the stuff in iptables, the arcane packet filtering thing for Linux. At least… I think. My take on it, at least. For somewhat modern Linuxes at the time of this writing, IPv4 only.<\/p>\n

Basic method: loop over all the types of tables, flushing… then loop over all the builtin tables for the various types, reset the policies… then erase all chains not in tables.<\/p>\n

All this joy in a shell script below.<\/p>\n

<\/div>\n
#!\/bin\/bash<\/span>
\n
\n#<\/span>
\n# Usage: $0<\/span>
\n#<\/span>
\n
\n#<\/span>
\n# so many tables, so little time... this simply nukes everything in iptables.<\/span>
\n# At least... I think... who really knows?<\/span>
\n#<\/span>
\n# IPv4 ONLY<\/span>
\n#<\/span>
\n# Perhaps you can define your own, I'd never see them. Kernels can have<\/span>
\n# others in or out... can't find any command to just list the tables,<\/span>
\n# probably something simple.<\/span>
\n#<\/span>
\n
\n# Anyway. Basic method - loop over all the types of tables, flushing... <\/span>
\n# then loop over and, based on the builtin tables, reset the policies...<\/span>
\n# then erase all chains not in tables.<\/span>
\n
\necho<\/span> 'killing off routes'<\/span>
\n
\n# kill routes<\/span>
\nip route<\/span> flush cache
\n
\n# who knew there were so many? "filter" is the default table<\/span>
\ntypes_o_tables<\/span>=(<\/span>'-t filter'<\/span> '-t nat'<\/span> '-t mangle'<\/span> '-t raw'<\/span> '-t security'<\/span>)<\/span>
\n
\n#<\/span>
\n# from the man page:<\/span>
\n#<\/span>
\n#    filter:<\/span>
\n#        This is the default table (if no -t option is passed). It contains<\/span>
\n#        the built-in chains INPUT (for packets destined to local sockets),<\/span>
\n#        FORWARD (for packets being routed through the box), and OUTPUT<\/span>
\n#        (for locally-generated packets).<\/span>
\nfilter<\/span>=(<\/span>'INPUT'<\/span> 'FORWARD'<\/span> 'OUTPUT'<\/span>)<\/span>
\n#    <\/span>
\n#    nat:<\/span>
\n#        This table is consulted when a packet that creates a new connection<\/span>
\n#        is encountered.  It consists of three  built-ins:  PREROUTING (for<\/span>
\n#        altering  packets as soon as they come in), OUTPUT (for altering<\/span>
\n#        locally-generated packets before routing), and POSTROUTING (for<\/span>
\n#        altering packets as they are about to go out).  IPv6 NAT support is<\/span>
\n#        available since kernel 3.7.<\/span>
\nnat<\/span>=(<\/span>'PREROUTING'<\/span> 'OUTPUT'<\/span> 'POSTROUTING'<\/span>)<\/span>
\n#    <\/span>
\n#    mangle:<\/span>
\n#        This table is used for specialized packet alteration.  Until kernel<\/span>
\n#        2.4.17 it had two built-in chains: PREROUTING  (for  altering incoming<\/span>
\n#        packets before routing) and OUTPUT (for altering locally-generated<\/span>
\n#        packets before routing).  Since kernel 2.4.18, three other built-in<\/span>
\n#        chains are also supported: INPUT (for packets coming into the box<\/span>
\n#        itself), FORWARD  (for  altering  packets  being routed through the<\/span>
\n#        box), and POSTROUTING (for altering packets as they are about to<\/span>
\n#        go out).<\/span>
\nmangle<\/span>=(<\/span>'PREROUTING'<\/span> 'OUTPUT'<\/span> 'INPUT'<\/span> 'FORWARD'<\/span> 'POSTROUTING'<\/span>)<\/span>
\n#    <\/span>
\n#    raw:<\/span>
\n#        This  table is used mainly for configuring exemptions from connection<\/span>
\n#        tracking in combination with the NOTRACK target.  It registers at<\/span>
\n#        the netfilter hooks with higher priority and is thus called before<\/span>
\n#        ip_conntrack, or any other IP tables.  It provides the following<\/span>
\n#        built-in  chains:  PREROUTING  (for packets arriving via any network<\/span>
\n#        interface) OUTPUT (for packets generated by local processes)<\/span>
\nraw<\/span>=(<\/span>'PREROUTING'<\/span> 'OUTPUT'<\/span>)<\/span>
\n#    <\/span>
\n#    security:<\/span>
\n#        This table is used for Mandatory Access Control (MAC) networking<\/span>
\n#        rules, such as those enabled by the SECMARK and CONNSECMARK targets.<\/span>
\n#        Mandatory Access Control is implemented by Linux Security Modules<\/span>
\n#        such as SELinux.  The security table is called after the filter<\/span>
\n#        table, allowing any Discretionary Access Control (DAC) rules in the<\/span>
\n#        filter table to take effect before  MAC  rules.   This table provides<\/span>
\n#        the following built-in chains: INPUT (for packets coming into the<\/span>
\n#        box itself), OUTPUT (for altering locally-generated packets before<\/span>
\n#        routing), and FORWARD (for altering packets being routed through<\/span>
\n#        the box).<\/span>
\nsecurity<\/span>=(<\/span>'INPUT'<\/span> 'OUTPUT'<\/span> 'FORWARD'<\/span>)<\/span>
\n
\n#<\/span>
\n# flush the tables<\/span>
\n#<\/span>
\necho<\/span> flushing tables....
\nfor<\/span> type_o in<\/span> "${types_o_tables[@]}<\/span>"<\/span>; do<\/span>
\n    echo<\/span> -e<\/span> "\\t<\/span>$type_o<\/span>"<\/span>
\n    iptables $type_o<\/span> -F<\/span>
\ndone<\/span>
\n
\n#<\/span>
\n# reset all the policies<\/span>
\n#<\/span>
\necho<\/span> reset policies
\nfor<\/span> type_o in<\/span> "${types_o_tables[@]}<\/span>"<\/span>; do<\/span>
\n    echo<\/span> -e<\/span> "\\t<\/span>$type_o<\/span>"<\/span>
\n    # have to tear out the -t<\/span>
\n    pol<\/span>=$(<\/span>echo<\/span> $type_o<\/span>|<\/span>awk<\/span> '{print $2}'<\/span>)<\/span>
\n    # echo -e "\\t--> $a"<\/span>
\n
\n    # it's a bit convoluted... so building this up one step at a time<\/span>
\n    e<\/span>=$(<\/span>echo<\/span> \\${$pol[\\*]}<\/span>)<\/span>
\n
\n    # loop over arrays of tables<\/span>
\n    for<\/span> p in<\/span> $(<\/span>eval<\/span> "echo $e<\/span>"<\/span>)<\/span>; do<\/span>
\n        echo<\/span> -e<\/span> "\\t<\/span>\\t<\/span>$p<\/span>"<\/span>
\n    done<\/span>
\ndone<\/span>
\n
\n#<\/span>
\n# erase all chains not in table<\/span>
\n#<\/span>
\necho<\/span> erasing chains...
\nfor<\/span> type_o in<\/span> "${types_o_tables[@]}<\/span>"<\/span>; do<\/span>
\n    echo<\/span> -e<\/span> "\\t<\/span>$type_o<\/span>"<\/span>
\n    iptables $type_o<\/span> -X<\/span>
\ndone<\/span><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

I think this is the way to really clear out all the stuff in iptables, the arcane packet filtering thing for Linux. At least… I think. My take on it, at least. For somewhat modern Linuxes at the time of this writing, IPv4 only. Basic method: loop over all the types of tables, flushing… then […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,4,6],"tags":[303,300,298,301,299,302],"class_list":["post-1091","post","type-post","status-publish","format-standard","hentry","category-code","category-security","category-tech","tag-die-die-die","tag-flush","tag-iptables","tag-kill","tag-nuke","tag-stab"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1091","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1091"}],"version-history":[{"count":12,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1091\/revisions"}],"predecessor-version":[{"id":1104,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1091\/revisions\/1104"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}