4

I use RaspBMC as OS which stores its "persistent" iptables configuration in /etc/network/if-up.d/secure-rmc and I presume it's applied when the eth link goes up (e.g. after boot).

If I futz with the rules in the console, how can I reload the "persistent" ones (and discard the futz'd rules)?

There's no 'service' per se for iptables, and trying to service networking restart doesn't seem to help.

I've already locked myself out twice trying variations of ifconfig eth0 down; ifconfig eth0 up (a reboot helps :-) )

Lekensteyn
  • 1,521
  • 1
  • 15
  • 24
Cristian Diaconescu
  • 425
  • 3
  • 7
  • 17

2 Answers2

6

The iptables "rules" commands in secure-rmc are very simplistic:

logger -t iptables "Configuring ip tables for interface $IFACE"
if [ "$IFACE" != "lo" ]; then
    NETMASK=$(get_subnet $IFACE)
    iptables -A INPUT -s $NETMASK -i $IFACE -j ACCEPT
    iptables -A INPUT -i $IFACE -j DROP
fi

(get_subnet is a function that extracts the subnet of interface $IFACE using ifconfig)

These rules can be formulated as:

  • Accept any traffic from the local network on $IFACE.
  • Ignore all other incoming traffic from $IFACE.

I suggest you to utilise iptables-save and iptables-restore when playing with firewall rules. Have a look at their manual pages for more details.

Example:

iptables-save > iptables-original.rules
iptables -I INPUT 2 ...
# oops, fscked up, let's roll back to the original ruleset
iptables-restore < iptables-original.rules
Lekensteyn
  • 1,521
  • 1
  • 15
  • 24
4
iptables -F
iptables -X

should do the trick of cleaning your current setup, or you may use the particular chain name you don't like:

iptables -F INPUT

I'd recommend to add these commands at the top of your script issuing iptables commands, so every time you start from a known situation.

Also, could you please elaborate more about what is your goal? the default setup seems quite reasonable and logical for a device on the local network.

ok, thanks for the clarification. you may revert your settings to the default with the:

iptables -A INPUT -s 192.168.1.0/24 -i $IFACE -j ACCEPT
iptables -A INPUT -i $IFACE -j DROP

just replace the network address with your real local network address and probably add the before mentioned commands to flush and delete your current chains. Playing with the network up/down scripts is a very proven way to lock yourself out of your Raspberry Pi =)

lenik
  • 11,533
  • 2
  • 32
  • 37