CCL Home Page
Up Directory CCL flushfw.txt
#!/bin/bash

# If you used the startfw which I wrote, this script will stop it, i.e.,
# it flushes all the chains in iptables and unloads the ip* modules from kernel
# I (Jan Labanowski, jkl@ccl.net) took it from (I believe) Dirk Bartley
# presentation from http://www.kalamazoolinux.org/presentations/
# Namely, the actual file was:: 
# http://www.kalamazoolinux.org/presentations/20010417/flush
# 
# When you want to stop the firewall just type
#   ./flushfw.sh
# I assume that that on a production machine, this script will reside in
# /usr/sbin/ and will be only read/write/executable by root (700)
# I also use this script in the /etc/rc.d/init.d/iptables-jkl script
# which starts iptables on boot.
# 

IPTABLES=/sbin/iptables

IP_MODULES=`/sbin/lsmod | /bin/awk '{print $1}' | /bin/grep '^ip'`
if [ "${IP_MODULES}x" == "x" ]; then     # if no ip modules
  echo No iptables modules found in kernel
  exit 0
fi

# Flush everything and remove iptables modules

   # Set all of the Policies on the filter table to accept
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
   #
   # Flush all of the existing chains on the filter table
$IPTABLES -F
   # Remove all of the user defined chains on the filter table
$IPTABLES -X
   #
   #
   # Set all of the Policies on the nat table to accept
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
   #
   # Flush all of the existing chains on the nat table
$IPTABLES -t nat -F
   # Remove all of the user defined chains on the nat table
$IPTABLES -t nat -X
   #
   #
   # Set all of the Policies on the mangle table to accept
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
   # Flush all of the existing chains on the mangle table
$IPTABLES -t mangle -F
   # Remove all of the user defined chains on the mangle table
$IPTABLES -t mangle -X
   #
   # Not required:
   #       Stop forwarding and
   #       Remove all the iptables modules
   #
echo 0 > /proc/sys/net/ipv4/ip_forward

IP_MODULES=`/sbin/lsmod | /bin/awk '{print $1}' | /bin/grep '^ip'`

while [ ! "${IP_MODULES}x" = "x" ]; do  # I do while in case if there are
    echo Removing modules:${IP_MODULES} # some dependencies, etc.
    /sbin/rmmod ${IP_MODULES}
    /bin/sleep 2
    IP_MODULES=`/sbin/lsmod | /bin/awk '{print $1}' | /bin/grep '^ip'`
done







Modified: Tue Dec 11 01:34:06 2001 GMT
Page accessed 11412 times since Wed Dec 12 00:58:48 2001 GMT