Ubuntu-12.04 [SOLVED]: iptables restart returns: Bad argument 'restart'

Ubuntu-12.04 [SOLVED]: iptables restart returns: Bad argument 'restart'

Home Forums Ubuntu 12.04 Ubuntu-12.04 [SOLVED]: iptables restart returns: Bad argument 'restart'

Tagged: ,

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #18997

    Anonymous

    QuestionQuestion

    I have an Ubuntu 12.04 LTS system running for a couple of years now. Yesterday a power outage forced my computer down. With power restored, I booted the system and everything seemed to start fine, with the exception of iptables. Whenever I have rebooted this system, ufw always starts, even though I have configured it not to. I prefer iptables simply because I know it, so I shut down ‘ufw’ and reconfigure iptables and restart it with the following procedure:

    sudo ufw disable
    
    sudo ip_tables_reset.sh
    sudo ip_tables_config.sh
    
    sudo iptables restart
    

    and verify with

    sudo iptables -S
    

    which returns:

    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j DROP
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    

    Now the line

    sudo iptables restart
    

    returns with

    Bad argument 'restart'
    

    But I have used this procedure faithfully for years now. I have not installed any updates that I am aware of recently.

    What has changed that this reliable method now fails?

    reference:
    iptables v1.4.12

    #18998

    Anonymous

    Accepted AnswerAnswer

    you mention this command

    sudo iptables restart  #  wrong usage, its not a service
    

    the below set of scripts is how you backup, enable or disable your firewall … first verify you have the package installed

    dpkg -l | grep iptables
    

    one way to view current iptable settings

    sudo iptables -L -n
    

    the canonical way to show current iptable rules (display only no changes)

    sudo iptables-save
    

    looking at your rules you are not blocking incoming traffic (your shields are down) whereas following does block all incoming traffic except specified ports

    *filter
    :INPUT DROP [331:17104]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [9727:1360720]
    :GitHubWebHooks - [0:0]
    -A INPUT -p tcp -m tcp --dport 9000 -j GitHubWebHooks
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -i lo -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A GitHubWebHooks -s 192.30.252.0/22 -j ACCEPT
    -A GitHubWebHooks -j DROP
    COMMIT
    

    notice I open up a specific IP address 192.30.252.0/22 so I can run a server listening for incoming traffic so all mentions of GitHubWebHooks are optional … if you save above into a file then load that file as your rules then you will be good to go … shields up

    before you change anything lets dump your current rules into an output file

    vi firewall_save_current_rules.sh

    #!/usr/bin/env /bin/bash
    
    set -o errexit  #  exit on error
    
    #  dump current iptable rules to file
    
    if [[ $EUID -ne 0 ]]; then
       echo "This script must be run as root"
       exit 1
    fi
    
    # ........
    
    curr_timestamp=$(date '+%H%M%S%N')
    
    curr_rulesfile=/etc/iptables/rules.v4.${curr_timestamp}.current_rules
    
    rulesdir=$( dirname $curr_rulesfile )
    
    if [[ ! -d $rulesdir ]]; then
    
        echo about to create dir $rulesdir
        mkdir $rulesdir
    fi
    
    iptables-save > ${curr_rulesfile}  # dump current iptable rules into output timestamped file
    
    
    echo curr_rulesfile $curr_rulesfile
    

    now execute above script to save your current iptable rules

    sudo ./firewall_save_current_rules.sh
    

    below code will define a new set of rules where we block all incoming traffic by default except specified parts (especially the ssh port + normal http and https ports)

    vi firewall_shields_up.sh

    #!/usr/bin/env /bin/bash
    
    set -o errexit  #  exit on error
    
    #  create new set of iptable rules from inline list of rules - Block all incoming traffic by default except specified
    
    if [[ $EUID -ne 0 ]]; then
       echo "This script must be run as root"
       exit 1
    fi
    
    # ........
    
    
    curr_timestamp=$(date '+%H%M%S%N')
    
    new_rulesfile=/etc/iptables/rules.v4.${curr_timestamp}.new_rules
    
    rulesdir=$( dirname $new_rulesfile )
    
    if [[ ! -d $rulesdir ]]; then
    
        echo about to create dir $rulesdir
        mkdir $rulesdir
    fi
    
    # .....  park into a new file below list of iptable rules
    
    cat << EOF > ${new_rulesfile}
    
    *filter
    :INPUT DROP [331:17104]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [9727:1360720]
    :GitHubWebHooks - [0:0]
    -A INPUT -p tcp -m tcp --dport 9000 -j GitHubWebHooks
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -i lo -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A GitHubWebHooks -s 192.30.252.0/22 -j ACCEPT
    -A GitHubWebHooks -j DROP
    COMMIT
    
    EOF
    
    
    echo new_rulesfile $new_rulesfile
    
    
    iptables-restore <  ${new_rulesfile}  #  engage new iptable rules from file
    
    
    echo here is new iptable settings
    
    iptables-save
    
    
    #  ... if you are running docker you will want to bounce its daemon
    #  sudo service docker restart
    

    execute above script to define new iptable rules

    sudo ./firewall_shields_up.sh 
    

    for completeness below is a troubleshooting script which will effectively disable the firewall by opening up all incoming and outgoing traffic … run in if you want an empty slate however run above firewall_shields_up.sh to put back a proper firewall

    vi firewall_shields_down.sh

    #!/usr/bin/env /bin/bash
    
    set -o errexit  #  exit on error
    
    #  open up all incoming and outgoing traffic ... effectively disabling the firewall
    
    if [[ $EUID -ne 0 ]]; then
       echo "This script must be run as root"
       exit 1
    fi
    
    # ........ lets first backup current rules into timestamped file
    
    curr_timestamp=$(date '+%H%M%S%N')
    
    curr_rulesfile=/etc/iptables/rules.v4.${curr_timestamp}.current_rules_before_opening_up_all_traffic
    
    rulesdir=$( dirname $curr_rulesfile )
    
    if [[ ! -d $rulesdir ]]; then
    
        echo about to create dir $rulesdir
        mkdir $rulesdir
    fi
    
    iptables-save > ${curr_rulesfile}  # dump current iptable rules into output timestamped file
    
    echo curr_rulesfile $curr_rulesfile
    
    # ... now alter iptables to lower shield
    
    
    
    
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -F
    
    
    
    # ... display new iptable rules
    
    echo
    echo following are the new iptable rules after we opened up all incoming and outgoing traffic
    echo
    
    iptables-save
    

    Source: https://askubuntu.com/questions/924642/iptables-restart-returns-bad-argument-restart
    Author: Scott Stensland
    Creative Commons License
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.