2

I'm running a VPS, and would like to reset the iptables' rules to its fresh-out-of-the-box default state. These are the commands I've come up with:

#!/bin/sh
echo "Resetting all iptables rules..."

#Reset default table policies
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#Reset nat table policies
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P INPUT ACCEPT
iptables -t nat -P OUTPUT ACCEPT

#Reset mangle table policies
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT 
iptables -t mangle -P FORWARD ACCEPT

#Reset raw table policies
iptables -t raw -P PREROUTING ACCEPT
iptables -t raw -P OUTPUT ACCEPT

#Flush all rules and delete empty chains
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X

QUESTIONS:

  1. Are these rules comprehensive enough? I've messed with my iptables and I just want to start from a clean slate.

  2. Will I be locked out of my VPS if I reboot?

  3. Do I need to use the -Z command on every table to zero the packet and byte counters on all rules in a chain? E.g. "iptables -t nat -Z" (and repeat the same for all other tables)?

Thanks!

Honey Badger
  • 849

1 Answers1

4

  1. I think those are pretty good; I can offhand think of no rule that would escape that pruning.

  2. It depends. What are your current arrangements for rules on reboot? If they amount to DROPping everything, then yes, you'll lock yourself out. The script you've shown above is lovely (see 1.), but it's not going to magically be run on reboot.

  3. It depends whether you want the counters to be zeroed or not.

As for not getting locked out, I agree with pauska that doing remote firewall work can be tricky. That's why, before I commit any change I've made to a remote system's firewalls, I do

# at now+5min
at> service iptables stop
at> ^D

If the changes I then commit lock me out, well, I'll be OK to get back in in five minutes. If they don't, I can use atrm to remove the job I just submitted. It's saved my bum a few times! (NB: that service command is good for Red Hat Linuces, you may need to find an equivalent for other unices.)

MadHatter
  • 81,580