Linux iptables rejected - How do I enable it back?

iptables forwarding

so I'm having a client in my network connected to the router through my computer with arpspoof. When I know want to stop the packet forwarding I execute:

iptables -A FORWARD -j REJECT

that is working how I expected. But when I try to do something like:

iptables -A FORWARD -j ACCEPT

I cannot manage to make the packets go through like in the beginning.

Am I doing something wrong or are there any other arguments I should use different from "ACCEPT"?


Solution 1:

IPtables has a list of rules, and for each packet, it checks the list of rules in order. Once a rule is found that matches the packet and specifies a policy (ACCEPT, REJECT, DROP), the fate of the matching packet is determined; no more rules are examined.

This means that the order in which you run commands is important. When you use iptables -A, you add a rule to the end of the list of rules, so you will end up with a rule list that looks like this:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     all  --  anywhere             anywhere

Since the REJECT rule comes before the ACCEPT rule, it gets triggered first, and thus forwarding won't happen.

You will therefore need to delete the REJECTrule instead of adding an ACCEPT rule. To delete the REJECT rule, run

iptables -D FORWARD -j REJECT

For more information, read the iptables manpage.

Solution 2:

The -A flag tells iptables to append the rule to the chain, meaning it ends up under your REJECT rule, and since the first rule matches, it's never used.

You list your rules with iptables -L FORWARD and you will see this yourself. To get rid of the rule you added, run

iptables -D FORWARD -j REJECT

Until there are no more such rules in the chain.

Solution 3:

What about to plase in the end of FORWARD rule for jump into new chain in which will be only one rule. It may be ACCEPT or REJECT. Say...

iptables -N accept-chain
iptables -A accept-chain -j ACCEPT
iptables -A FORWARD -j accept-chain

After that, you can change this one rule in accept-chain something like

iptables -R accept-chain 1 -j REJECT

to disable trafic or -j ACCEPT to enable.

Also what abount to turn on and off routing by

echo "0" > /proc/sys/net/ipv4/ip_forward

for disable packet forwarding and "1" - for enable.

Related

AngularJS 1.5+ Components do not support Watchers, what is the work around?
Validate that end date is greater than start date with jQuery
CheckBox in RecyclerView keeps on checking different items
Writing a Python list of lists to a csv file
How to do joins in LINQ on multiple fields in single join
How to parse XML using the SAX parser
How to simulate a click by using x,y coordinates in JavaScript?
AngularJS ui router passing data between states without URL
jQuery.parseJSON throws “Invalid JSON” error due to escaped single quote in JSON
Insert HTML with React Variable Statements (JSX) [duplicate]
Check if application is on its first run [duplicate]
Order data frame rows according to vector with specific order