iptablesrocks.org - safety precautions
home
|
syntax & structure
|
examples
|
faq
|
contact
|
links
iptables pre-configuration safety precautions
Making changes to your server's firewall/routing configuration can be very tricky. One simple mistake can result in your being completely locked out of
your server. If the server you are working on is remotely hosted, this can cause prolonged downtime and a tech support nightmare. In short, it can be a
major pain in the ass.
For this reason, anytime you are making changes to your server's firewall or routing config via iptables, you should first take a few minutes to
implement some "disaster recovery" measures that can be automatically triggered should you accidentally lock yourself out of your server.
Whenver I'm making any major changes to my firewall, I like to implement a "disaster recovery" measure by means of a crontab entry. I do this by
creating a simple crontab entry that runs every 15 minutes or so. This crontab entry runs a command which simply resets my server's iptables
configuration to a completely open setting. That is, it sets my iptables configuration so that the server will accept all incoming, outgoing and forward
requests. In this way, should I screw up at some point and lock myself out of my server, I will only need to wait a maximum of 10 minutes before the
bad firewall rules will be dropped and I'll be able to shell into my server again. If you are a newbie at iptables, or even a seasoned pro, this little safety
measure can be a lifesaver. Everyone makes mistakes every now and then, and this measure will ensure that a mistake made in your firewall
configuration doesn't turn into a nightmare!
So here's how you do it....
Log into your server as the root user.
First, create a iptables import script that, when imported, will reset the iptables configuration to a default "accept all" state:
vi /root/iptables.open
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT
*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT
*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT
Now save and exit.
Now let's set up a crontab entry that will import the reset configuration every 15 minutes...
crontab -e
*/15 * * * * /sbin/iptables-restore < /root/iptables.open
Save and exit from the crontab editor
Ok. All done.
Now let's review what this is going to do to your server...
Once you enable the crontab, your server is going to reset it's iptables configuration every 15 minutes. This means that every 15 minutes you will lose
http://www.iptablesrocks.org/precautions.php (1 of 2) [2/13/2004 8:04:48 PM]