From: Manuel Klemenz <m.klemenz@gmx.at>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] modifying iptables: how can I prevent locking me out?
Date: Mon, 24 Jan 2011 22:08:18 +0100 [thread overview]
Message-ID: <201101242208.24039.m.klemenz@gmx.at> (raw)
In-Reply-To: <AANLkTin98-=p88PHnB+n_+nHgBbKxC4BAwxcoQTTV6eE@mail.gmail.com>
[-- Attachment #1: Type: Text/Plain, Size: 1365 bytes --]
On Monday 24 January 2011 19:59:16 Mark Knecht wrote:
> On Mon, Jan 24, 2011 at 10:47 AM, Jarry <mr.jarry@gmail.com> wrote:
> > Hi,
> >
> > I have to change rather complex iptables rules on server
> > and I do not want to lock me out as this server is about
> > 50 miles away. So how should I do it?
> >
> > I can back up the old rules by running:
> > /etc/init.d/iptables save
> > and it will be saved to /var/lib/iptables/rules-save
> > (some strange format starting with number like [536:119208])
> >
> > I prepared a script with new (modified) iptables-rules,
> > which I will run in bash. But in case I screw something,
> > how could I force netfilter to load old saved rules,
> > if I for whatever reason do not connect to server (ssh)?
> >
> > Or can I load new iptables-rules for certain time, and
> > then force netfilter to load back the old rules again?
> >
> > Jarry
>
> Maybe a cron job that no matter what reloads the old rules 1 hour later?
>
> - Mark
another option woud be to setup and run a knock deamon (net-misc/knock), if
that's an option for you. You'd have the advantage not being forced to wait
for an hour (worst case). On the other hand you must make sure, that none of
the configured knocking ports are blocked in the infrastructure between you and
the server.
--
Cheers,
Manuel Klemenz
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
next prev parent reply other threads:[~2011-01-24 21:10 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-24 18:47 [gentoo-user] modifying iptables: how can I prevent locking me out? Jarry
2011-01-24 18:59 ` Mark Knecht
2011-01-24 19:06 ` kashani
2011-01-24 19:16 ` Mark Knecht
2011-01-24 21:08 ` Manuel Klemenz [this message]
2011-01-24 21:50 ` Neil Bothwick
2011-01-24 22:14 ` Mark Knecht
2011-01-24 22:16 ` Mark Knecht
2011-01-25 10:25 ` Neil Bothwick
2011-01-25 22:57 ` Mick
2011-01-24 22:28 ` Alan McKinnon
2011-01-25 10:19 ` Neil Bothwick
2011-01-24 22:26 ` Alex Schuster
2011-01-31 21:20 ` Jarry
2011-01-24 21:40 ` J. Roeleveld
2011-01-24 22:31 ` Alan McKinnon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201101242208.24039.m.klemenz@gmx.at \
--to=m.klemenz@gmx.at \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox