Sometimes there is a need to configure iptables on the remote host.
Often, the correct iptables rules can be obtained with some use of the pump method and against such cases one must be insured.
Here I will describe how to configure iptables so painlessly that in the case of blocking access to itself, this access could be obtained again.
The idea is this: in the cron we write down a rule that at a certain point in time will reset the iptables rules.
That is, suppose I came up with a chain of rules and applied it, and suddenly the connection to the remote host suddenly stopped. However, before that, we added a script to cron that will clear all the rules and access to the remote server can be obtained again.
Important!
Iptables rules are applied immediately after execution.
For example, if you enter:
$ iptables -A INPUT -p TCP --dport 22 -j DROP
Then the connection on ssh will be lost immediately.
Create a script that will clear all iptables rules:
# vim /etc/restore_iptables.conf
#!/bin/sh
IPT="/sbin/iptables"
# remove all rules
$IPT -F
$IPT -X
# allow all connections
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
You also need to make the script executable:
# chmod +x /etc/restore_iptables.conf
The script should be run immediately after the network interfaces are up, in Debian it's enough to add the line like this:
# vim /etc/network/interfaces
auto lo
iface lo inet loopback
pre-up /etc/iptables.conf
Now add the rule to cron to run our backup recovery script every five minutes, for example:
# crontab -e
*/5 * * * * /etc/restore_iptables.conf
Now we can test the new rules.
To do this, create a file with test rules, for example:
# vim /etc/test_iptables.conf
IPT="/sbin/iptables"
$IPT -F
$IPT -X
# we get a mistake and drop ssh connection
$IPT -A INPUT -p TCP --dport 22 -j DROP
$IPT -A OUTPUT -p TCP --sport 22 -j DROP
Run it:
# chmod +x /etc/test_iptables.conf
# /etc/test_iptables.conf
With such rules, we will immediately drop the connection on ssh. However, we took everything into account, it's enough to wait 5 minutes and you can reconnect.
After you are sure that all the rules work as needed, you need to remove or comment out the rule in cron:
# crontab -e
#*/5 * * * * /etc/restore_iptables.conf
And copy the new rule file instead of our backup:
# cat /etc/test_iptables.conf > /etc/restore_iptables.conf
Be attentive!
iptables
package as I suggested yesterday? Check if the dependencies are still installed, otherwise you need to download whatever's missing too. If you cannot install the downloaded package withdpkg
(after rebooting into the normal system) please update your question with the output from thedpkg
statement.