4

Using the shell in chrosh in ChromeOS I followed some (apparently terrible) advice to flush my IP tables. using the command 

sudo iptables -F

I am now unable to connect to the internet at all. All web pages return the 'This webpage is not available' screen.

I'd really like to not have to wipe my installation but it's the only way I know how to fix it. I've spent some time setting up Ubuntu using crouton and don't want my work to be undone so if anyone has any ideas how to fix this it would be greatly appreciated.

[EDIT]1: https://code.google.com/p/chromium/issues/detail?id=181743 step 2 has allowed me to connect to the internet. Is this thorough enough?

[EDIT]2: As requested, using 

sudo iptables -L

Here is this output:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere
Makkasu
  • 43
  • 1
  • 6
  • Can you `ping 8.8.8.8`? – terdon Oct 24 '13 at 00:35
  • Yes but that's after following this [link]https://code.google.com/p/chromium/issues/detail?id=181743 I followed step 2. Is this comprehensive? Or do I need more? – Makkasu Oct 24 '13 at 00:41
  • 1
    I really don't know, does it work? I know very very little about this but I think the experts will need more information to be able to help you. Please [edit] your question and add the output of `sudo iptables -L`. – terdon Oct 24 '13 at 00:46
  • Thanks for the help, yeah it does seem to work I'm just worried I might run into more problems down the line if the table isn't very complete. I'm actually having trouble finding other computers on my local network. – Makkasu Oct 24 '13 at 00:55
  • 1
    If it makes you feel any better, [here](http://pastebin.com/DDyqSkHB) is mine which is what was set up by default. I have never run a single `iptables` command. – terdon Oct 24 '13 at 00:58
  • Ha, fair enough. Thanks for the speedy responses! – Makkasu Oct 24 '13 at 01:04

2 Answers2

5

Change your policies to ACCEPT for starters.

$ iptables -P INPUT ACCEPT
$ iptables -P FORWARD ACCEPT
$ iptables -P OUTPUT ACCEPT

Afterwards things should look like this:

$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

This get's you working (maybe) but you still have all those rules to deal with. You can drop them out completely as well.

$ iptables -F

Then do the commands above.

NOTE: The above is what I would consider a "shields down" approach and will get you working but leave you exposed, since there is essentially no firewall filtering occurring.

Once you come to this setup, you can re-apply rules to get things the way you want. If you need further guidance on iptables this tutorial is a good place to start.

slm
  • 363,520
  • 117
  • 767
  • 871
  • Could you expand on that - I'm completely new to this. Would your config allow me to ssh into my machine from another? Does it leave me with security problems? Thanks – Makkasu Oct 24 '13 at 01:16
  • @Makkasu - this leaves you with "shields down" basically, but gets you on the internet. You can always come back to this reference point if things go off the rails. You can then bring those rules from that tutorial back into the mix. – slm Oct 24 '13 at 01:18
  • The tutorial rules are allowing me access to the internet, if I find them too restrictive I'll follow your 'shields down' approach, ty – Makkasu Oct 24 '13 at 01:22
  • 1
    @Makkasu - they shouldn't be too restrictive. The default policies of DROP are usually what filter things out too much. They are the catchall rule for when nothing above matches. Basically the kitchen sink rule, which drops any non-matching packets to the bit bucket. – slm Oct 24 '13 at 01:24
  • 1
    @Makkasu - a cursory look at the rules, they look OK to me for ssh into the box + anything going out. – slm Oct 24 '13 at 01:25
0

I've just been through this experience, hopefully this will help.

First, try a reboot of your chromebook. Changes by iptables are not permanent! This alone just fixed the issue for me.

If you do need to rebuild iptables from scratch, the set from your link (from 2009) aren't quite ideal. For example, you don't really want to allow port 22 inbound, since a chromebook is not a server.

Here is the default chromebook iptables that you can import with iptables-restore. Don't forget to make them permanent to survive a reboot - there are several ways of doing this.

$ sudo iptables-save
# Generated by iptables-save v1.4.21 on Sat May 10 17:29:37 2014
*mangle
:PREROUTING ACCEPT [7640:4572669]
:INPUT ACCEPT [7559:4562904]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6214:1199995]
:POSTROUTING ACCEPT [6264:1203395]
COMMIT
# Completed on Sat May 10 17:29:37 2014
# Generated by iptables-save v1.4.21 on Sat May 10 17:29:37 2014
*filter
:INPUT DROP [158:18175]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -j NFQUEUE --queue-num 10000
-A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j NFQUEUE --queue-num 10001
-A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Sat May 10 17:29:37 2014
Air
  • 101
  • 4