FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 01-24-2011, 05:47 PM
Jarry
 
Default modifying iptables: how can I prevent locking me out?

Hi,

I have to change rather complex iptables rules on server
and I do not want to lock me out as this server is about
50 miles away. So how should I do it?

I can back up the old rules by running:
/etc/init.d/iptables save
and it will be saved to /var/lib/iptables/rules-save
(some strange format starting with number like [536:119208])

I prepared a script with new (modified) iptables-rules,
which I will run in bash. But in case I screw something,
how could I force netfilter to load old saved rules,
if I for whatever reason do not connect to server (ssh)?

Or can I load new iptables-rules for certain time, and
then force netfilter to load back the old rules again?

Jarry

--
__________________________________________________ _____________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.
 
Old 01-24-2011, 05:59 PM
Mark Knecht
 
Default modifying iptables: how can I prevent locking me out?

On Mon, Jan 24, 2011 at 10:47 AM, Jarry <mr.jarry@gmail.com> wrote:
> Hi,
>
> I have to change rather complex iptables rules on server
> and I do not want to lock me out as this server is about
> 50 miles away. So how should I do it?
>
> I can back up the old rules by running:
> /etc/init.d/iptables save
> and it will be saved to /var/lib/iptables/rules-save
> (some strange format starting with number like [536:119208])
>
> I prepared a script with new (modified) iptables-rules,
> which I will run in bash. But in case I screw something,
> how could I force netfilter to load old saved rules,
> if I for whatever reason do not connect to server (ssh)?
>
> Or can I load new iptables-rules for certain time, and
> then force netfilter to load back the old rules again?
>
> Jarry
>

Maybe a cron job that no matter what reloads the old rules 1 hour later?

- Mark
 
Old 01-24-2011, 06:06 PM
kashani
 
Default modifying iptables: how can I prevent locking me out?

On 1/24/2011 10:59 AM, Mark Knecht wrote:

On Mon, Jan 24, 2011 at 10:47 AM, Jarry<mr.jarry@gmail.com> wrote:

Hi,

I have to change rather complex iptables rules on server
and I do not want to lock me out as this server is about
50 miles away. So how should I do it?

I can back up the old rules by running:
/etc/init.d/iptables save
and it will be saved to /var/lib/iptables/rules-save
(some strange format starting with number like [536:119208])

I prepared a script with new (modified) iptables-rules,
which I will run in bash. But in case I screw something,
how could I force netfilter to load old saved rules,
if I for whatever reason do not connect to server (ssh)?

Or can I load new iptables-rules for certain time, and
then force netfilter to load back the old rules again?

Jarry



Maybe a cron job that no matter what reloads the old rules 1 hour later?

- Mark



Yep, that's the way I do it. I'd test that the cron works correctly
beforehand. Nothing worse than locking yourself out *and* realizing your
cron has a path issue.


kashani
 
Old 01-24-2011, 06:16 PM
Mark Knecht
 
Default modifying iptables: how can I prevent locking me out?

On Mon, Jan 24, 2011 at 11:06 AM, kashani <kashani-list@badapple.net> wrote:
> On 1/24/2011 10:59 AM, Mark Knecht wrote:
>>
>> On Mon, Jan 24, 2011 at 10:47 AM, Jarry<mr.jarry@gmail.com> *wrote:
>>>
>>> Hi,
>>>
>>> I have to change rather complex iptables rules on server
>>> and I do not want to lock me out as this server is about
>>> 50 miles away. So how should I do it?
>>>
>>> I can back up the old rules by running:
>>> /etc/init.d/iptables save
>>> and it will be saved to /var/lib/iptables/rules-save
>>> (some strange format starting with number like [536:119208])
>>>
>>> I prepared a script with new (modified) iptables-rules,
>>> which I will run in bash. But in case I screw something,
>>> how could I force netfilter to load old saved rules,
>>> if I for whatever reason do not connect to server (ssh)?
>>>
>>> Or can I load new iptables-rules for certain time, and
>>> then force netfilter to load back the old rules again?
>>>
>>> Jarry
>>>
>>
>> Maybe a cron job that no matter what reloads the old rules 1 hour later?
>>
>> - Mark
>>
>
> Yep, that's the way I do it. I'd test that the cron works correctly
> beforehand. Nothing worse than locking yourself out *and* realizing your
> cron has a path issue.
>
> kashani

Maybe first add a rule that won't lock yourself out. Install the new
file, make sure the rule is there, then wait an hour. Make sure the
rule is gone. Make sure the cron logs show the work was done. Go
through a could of reboots and make sure the old rules (or new rules)
come up.

Once all that works going to the new, scary file should be lass scary.

- Mark
 
Old 01-24-2011, 08:08 PM
Manuel Klemenz
 
Default modifying iptables: how can I prevent locking me out?

On Monday 24 January 2011 19:59:16 Mark Knecht wrote:
> On Mon, Jan 24, 2011 at 10:47 AM, Jarry <mr.jarry@gmail.com> wrote:
> > Hi,
> >
> > I have to change rather complex iptables rules on server
> > and I do not want to lock me out as this server is about
> > 50 miles away. So how should I do it?
> >
> > I can back up the old rules by running:
> > /etc/init.d/iptables save
> > and it will be saved to /var/lib/iptables/rules-save
> > (some strange format starting with number like [536:119208])
> >
> > I prepared a script with new (modified) iptables-rules,
> > which I will run in bash. But in case I screw something,
> > how could I force netfilter to load old saved rules,
> > if I for whatever reason do not connect to server (ssh)?
> >
> > Or can I load new iptables-rules for certain time, and
> > then force netfilter to load back the old rules again?
> >
> > Jarry
>
> Maybe a cron job that no matter what reloads the old rules 1 hour later?
>
> - Mark

another option woud be to setup and run a knock deamon (net-misc/knock), if
that's an option for you. You'd have the advantage not being forced to wait
for an hour (worst case). On the other hand you must make sure, that none of
the configured knocking ports are blocked in the infrastructure between you and
the server.

--
Cheers,
Manuel Klemenz
 
Old 01-24-2011, 08:40 PM
"J. Roeleveld"
 
Default modifying iptables: how can I prevent locking me out?

On Monday 24 January 2011 19:47:43 Jarry wrote:
> Hi,
>
> I have to change rather complex iptables rules on server
> and I do not want to lock me out as this server is about
> 50 miles away. So how should I do it?
>
> I can back up the old rules by running:
> /etc/init.d/iptables save
> and it will be saved to /var/lib/iptables/rules-save
> (some strange format starting with number like [536:119208])
>
> I prepared a script with new (modified) iptables-rules,
> which I will run in bash. But in case I screw something,
> how could I force netfilter to load old saved rules,
> if I for whatever reason do not connect to server (ssh)?
>
> Or can I load new iptables-rules for certain time, and
> then force netfilter to load back the old rules again?
>
> Jarry

You could add the necessary rule(s) to ensure existing connections stay
active.
That way you can enable the new rules and test by openening a new SSH-
connection to the server.
If that works, you're ok.
If not, you can use the existing SSH-connection to go back to the old rules.

--
Joost
 
Old 01-24-2011, 08:50 PM
Neil Bothwick
 
Default modifying iptables: how can I prevent locking me out?

On Mon, 24 Jan 2011 10:59:16 -0800, Mark Knecht wrote:

> Maybe a cron job that no matter what reloads the old rules 1 hour later?

Wouldn't at make more sense? You don't want the thing to keep reloading
your old config, at will do it once, and you can remove the task from the
at queue once you successfully log back in.

echo "command to reload old rules" | at now + 1 hour


--
Neil Bothwick

Tact is the intelligence of the heart.
 
Old 01-24-2011, 09:14 PM
Mark Knecht
 
Default modifying iptables: how can I prevent locking me out?

On Mon, Jan 24, 2011 at 1:50 PM, Neil Bothwick <neil@digimed.co.uk> wrote:
> On Mon, 24 Jan 2011 10:59:16 -0800, Mark Knecht wrote:
>
>> Maybe a cron job that no matter what reloads the old rules 1 hour later?
>
> Wouldn't at make more sense? You don't want the thing to keep reloading
> your old config, at will do it once, and you can remove the task from the
> at queue once you successfully log back in.
>
> echo "command to reload old rules" | at now + 1 hour
>
>
> --
> Neil Bothwick

As a one-off test absolutely.

- Mark
 
Old 01-24-2011, 09:16 PM
Mark Knecht
 
Default modifying iptables: how can I prevent locking me out?

On Mon, Jan 24, 2011 at 2:14 PM, Mark Knecht <markknecht@gmail.com> wrote:
> On Mon, Jan 24, 2011 at 1:50 PM, Neil Bothwick <neil@digimed.co.uk> wrote:
>> On Mon, 24 Jan 2011 10:59:16 -0800, Mark Knecht wrote:
>>
>>> Maybe a cron job that no matter what reloads the old rules 1 hour later?
>>
>> Wouldn't at make more sense? You don't want the thing to keep reloading
>> your old config, at will do it once, and you can remove the task from the
>> at queue once you successfully log back in.
>>
>> echo "command to reload old rules" | at now + 1 hour
>>
>>
>> --
>> Neil Bothwick
>
> As a one-off test absolutely.
>

Actually, upon 15 seconds of reflection, what happens if he's locked
out and there's a power failure before the at command executes? When
rebooted I think it won't be there anymore, will it?

- Mark
 
Old 01-24-2011, 09:26 PM
Alex Schuster
 
Default modifying iptables: how can I prevent locking me out?

Neil Bothwick writes:

> On Mon, 24 Jan 2011 10:59:16 -0800, Mark Knecht wrote:
>
>> Maybe a cron job that no matter what reloads the old rules 1 hour later?
>
> Wouldn't at make more sense? You don't want the thing to keep reloading
> your old config, at will do it once, and you can remove the task from the
> at queue once you successfully log back in.
>
> echo "command to reload old rules" | at now + 1 hour

I usually do a
sleep 10m && restore the state
in a screen session. If things are okay and I can login, I re-attach the
screen and cancel the sleep with Ctrl-C. If I cannot login, I have to
wait 10 minutes.

Wonko
 

Thread Tools




All times are GMT. The time now is 05:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org