On 10/26/18, Andrew Pearce <andrew at andew.org.uk> wrote:> On 2018-10-26 16:25, mark wrote: > I believe this should remove any ipv6 rules (rules and chains) > > ip6tables -F > ip6tables -XYou might want to clear the other tables, too: for x in filter nat mangle raw security "" do ip6tables ${x:+-t $x} -F ip6tables ${x:+-t $x} -X done> You may need to set the default policies as well, as they I belive are > to deny all incoming and unrestricted outgoing > > ip6tables -P INPUT DROP > ip6tables -P FORWARD DROP > ip6tables -P OUTPUT ACCEPTfirewalld appears to leave the policies as ACCEPT, which is their default.
Gordon Messmer wrote:> On 10/26/18, Andrew Pearce <andrew at andew.org.uk> wrote: > >> On 2018-10-26 16:25, mark wrote: >> I believe this should remove any ipv6 rules (rules and chains) >> >> ip6tables -F ip6tables -X > > You might want to clear the other tables, too: > > > for x in filter nat mangle raw security "" do ip6tables ${x:+-t $x} -F > ip6tables ${x:+-t $x} -X done > >> You may need to set the default policies as well, as they I belive are >> to deny all incoming and unrestricted outgoing >> >> ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT >> ACCEPT >> > > firewalld appears to leave the policies as ACCEPT, which is their > default.I think y'all misunderstood me - I just want to say "turn off", run my script to test it, and turn it back on. However, I found out something: iptables -L gives the rules, also....*only* for IPv4; ip6tables -L does the same for only 6. And it does look as though by shutting down ip6tables, it did turn them off - ip6tables shows on 8 lines, which are all aCCEPT. I'd been looking at the o/p of iptalbes-save, and ip6tables-save. Thanks, though. mark
On 10/26/18 10:19 AM, mark wrote:> I think y'all misunderstood me - I just want to say "turn off", run my > script to test it, and turn it back on.I think we understood what you meant, but firewalld doesn't offer a mechanism to turn off only ipv6 rules that I'm aware of.? So you'd need to use ip6tables directly, clear the rules, and then reload firewalld when you wanted to re-enable them.> However, I found out something: iptables -L gives the rules, > also....*only* for IPv4; ip6tables -L does the same for only 6. And it > does look as though by shutting down ip6tables, it did turn them off -I'm assuming that you mean "systemctl disable ip6tables" which work if you have the iptables init scripts installed.? They normally aren't.? The advice offered will work on a default installation.