Configure iptables over SSH without getting locked out?

linux iptables

I need to provision servers via SSH, and in the process, configure iptables. More precisely, I want to run the following commands in this order:

iptables -F
iptables -P INPUT DROP
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
iptables -t nat -A PREROUTING -p tcp --dport 25 -j REDIRECT --to-port 5000
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8000
iptables -A INPUT -j DROP
iptables-save

How do I accomplish that without getting locked out? Can I apply those in batch?


I would probably save the rules in a new file, i.e /etc/iptables/new.rules and use the command iptables-apply to test them:

iptables-apply -t 180 new.rules

This way, the rules will be active for 180 seconds (-t = time) but not be saved unless you confirm the connection is still working as expected. In case of no interaction after 180 seconds, the rules will be reverted back to the previous state.


I assume the reason you think you'll be locked out is that you put in the default DROP rule before configuring the ACCEPT rules.

Run the commands through a single shell command like:

bash -c 'iptables -F; iptables -P INPUT DROP; ...'

The entire string will be sent and read before being processed and then the rules will be applied. Since the commands don't require input, they'll all process, and when you're done you'll still have access.


I usually do this:

1) I backup the old iptables configuration file:

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak

2) Before trying the new settings I execute this command to make sure I can connect back if something in the new settings locks me out (basically I replace the old rules after 10/15 minutes):

echo "mv /etc/sysconfig/iptables.bak /etc/sysconfig/iptables && service iptables restart" | at now + 15min

3) Now I can safely modify iptables rules. If something goes bad I can connect back in 15 minutes.


If you want to avoid the situation that you are locked out for a moment (and avoid the risk that the firewall setup fails due to errors) a technical alternative is to avoid the table flush for INPUT. Replace iptables -F or iptables -F INPUT by

iptables -I INPUT 1 -p tcp -m tcp --dport 22 -j ACCEPT
while iptables -D 2 INPUT; do
  :
done
for chain in $(iptables -L -n | awk '/^Chain/ && $2 != "INPUT" { print $2 }'); do
  iptables -F "$chain"
done

Then define the rules as usual (just -A for INPUT though, no -I INPUT 1, please) and in the end remove the connection safety rule: iptables -D INPUT 1

Related

smtpd: warning: hostname example.com does not resolve to address 203.0.113.1
SSHd not logging Failed publickey attempts
Accept email with Postfix no matter what domain
Enterprise Level Anti-virus software with these Requirements [closed]
Nginx: expires header not working
Parse/Edit Apache conf files with Ruby?
Link aggregation with DSL and Ethernet, and different ISP's?
No acl on nfs mount in linux?
Windows Server 2008 hangs up while booting
Configure postfix to DKIM-sign emails generated from the system
RRD pdp status value
Does my BIND zone really provide redundancy and load balancing?