3.8. Turning an iptables Firewall Off

Problem

Turning on your firewall is easy, just run the fw_nat script. But you also want an easy way to turn it off. This will allow you to quickly determine if a problem is caused by the firewall, and to make and test changes easily.

Solution

Use the following script, which I call /usr/local/bin/fw_flush. This example deletes all the rules in the filter, NAT, and mangle tables; all chains; and resets all packet and byte counters to zero. It also resets all the default policies to ACCEPT (so that nothing is blocked), and turns off forwarding. It's like having no firewall at all:

	#!/bin/sh
	##/usr/local/bin/fw_flush
	#flush script, which deletes all active rules
	#and chains, and resets default policies to "accept"
	#this is like having no firewall at all
	
	#define variables
	ipt="/sbin/iptables"

	echo "The firewall is now being shut down. All policies are set to
	ACCEPT, all rules and chains are deleted, all counters are set to zero."

	#Set default policies to ACCEPT everything
	$ipt -P INPUT ACCEPT
	$ipt -P FORWARD ACCEPT
	$ipt -P OUTPUT ACCEPT
	$ipt -t nat -P OUTPUT ACCEPT
	$ipt -t nat -P PREROUTING ACCEPT
	$ipt -t nat -P POSTROUTING ACCEPT
	$ipt -t mangle -P INPUT ACCEPT
	$ipt -t mangle -P OUTPUT ACCEPT
	$ipt -t mangle -P FORWARD ACCEPT
	$ipt -t mangle -P PREROUTING ACCEPT
	$ipt -t mangle -P POSTROUTING ACCEPT

	#Zero out all counters
	$ipt -Z
	$ipt -t nat -Z
	$ipt -t mangle -Z

	# Flush all rules, delete all chains
	$ipt -F
	$ipt -X
	$ipt -t nat -F
	$ipt -t nat -X
	$ipt -t mangle -F
	$ipt -t mangle -X

Remember to make this script owned by root only, mode 0700. Run this anytime you want to turn your firewall off:

	# fw_flush
	The firewall is now being shut down. All policies are set to ACCEPT, all rules and
	chains are deleted, all counters are set to zero, and routing is turned off.

This leaves you wide open, so you should not be connected to untrusted networks.

Discussion

iptables is not a daemon, so turning off an iptables firewall is complicated. Rules are loaded into memory. If you just flush all the rules, your default policies will still be active, and as the default policy is usually DROP, no traffic will get through. So, the easy way is to use a script like the one in this recipe, which flushes all rules and sets the defaults to ACCEPT.

If you have no firewall scripts activated at boot, rebooting really turns the firewall off—kernel modules are unloaded, and no iptables rules of any kind remain in memory.

See Also

• man 8 iptables

• Oskar Andreasson's Iptables Tutorial: http://iptables-tutorial.frozentux.net/