How do you test iptables rules to prevent remote lockout and check matches?
iptables-apply
is specifically designed for this. It applies your rules, and then prompts you to affirm. If you don't affirm, it rolls them back out. So if you brick the system or lock yourself out with apply, it rolls back.
What method(s) do you use to test rules without locking yourself out?
Think about the effect of what you're typing before you type it.
locked myself out
Before you start changing things remotely that might lock you out, insert an accept rule matching your connection at the start of the list. Back that up with a watchdog script that will reset all the rules to what was working when you started if you don't reset the timer. You can do that with a file monitoring loop and running the touch
command to reset the timestamp while you're working on things. Just remember to turn it off when you finalize the rules. The very simple format of that is:
sleep $((10*60)) && iptables-restore /path/to/working/script
You can setup iptables without a default DROP rule on your input-chain. If you create a rule and then put in this command:
$ iptables -nvL
Then you see packet counts and see if you have hits from your host.
Also another option is, is to make a crontab that runs a script. Within that script, you can write
$ iptables -F
With this command you can flush your IPTABLES-config
.