How do you test iptables rules to prevent remote lockout and check matches?

linux iptables

iptables-apply is specifically designed for this. It applies your rules, and then prompts you to affirm. If you don't affirm, it rolls them back out. So if you brick the system or lock yourself out with apply, it rolls back.


What method(s) do you use to test rules without locking yourself out?

Think about the effect of what you're typing before you type it.

locked myself out

Before you start changing things remotely that might lock you out, insert an accept rule matching your connection at the start of the list. Back that up with a watchdog script that will reset all the rules to what was working when you started if you don't reset the timer. You can do that with a file monitoring loop and running the touch command to reset the timestamp while you're working on things. Just remember to turn it off when you finalize the rules. The very simple format of that is:

sleep $((10*60)) && iptables-restore /path/to/working/script

You can setup iptables without a default DROP rule on your input-chain. If you create a rule and then put in this command:

$ iptables -nvL

Then you see packet counts and see if you have hits from your host.

Also another option is, is to make a crontab that runs a script. Within that script, you can write

$ iptables -F

With this command you can flush your IPTABLES-config.

Related

NFSv4 User Mapping
How do I setup monitoring of MySQL with Fail2ban?
Proper way of interpreting system load on a 4 core 8 thread processor
Cannot Set UID on Shell Scripts
Why does htop show lots of apache2 processes by ps aux doesn't?
Setting up SPF and DKIM records of a subdomain
How to setup a MySql server to accept remote connections?
KVM guest cannot write to 9p share owned by non-root
Read/write access for passthrough (9p) filesystems with libvirt/qemu?
dmesg time vs system time time isn't correct
Defining the email address which Nagios sends emails from
How do I clear the interface stats on Linux