From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PhTfq-0000ng-Bx for garchives@archives.gentoo.org; Mon, 24 Jan 2011 21:10:12 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 98944E0AFF; Mon, 24 Jan 2011 21:08:39 +0000 (UTC) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by pigeon.gentoo.org (Postfix) with SMTP id 29F73E0B07 for ; Mon, 24 Jan 2011 21:08:38 +0000 (UTC) Received: (qmail invoked by alias); 24 Jan 2011 21:08:38 -0000 Received: from h081217020148.dyn.cm.kabsi.at (EHLO climax.localnet) [81.217.20.148] by mail.gmx.net (mp020) with SMTP; 24 Jan 2011 22:08:38 +0100 X-Authenticated: #14909370 X-Provags-ID: V01U2FsdGVkX1/fk35Urf7fJ5EqDQ2P3kJn+oMSqg3KC8loOBg/N4 p9/XiXsAhESisZ From: Manuel Klemenz To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] modifying iptables: how can I prevent locking me out? Date: Mon, 24 Jan 2011 22:08:18 +0100 User-Agent: KMail/1.13.5 (Linux/2.6.37-gentoo; KDE/4.5.5; x86_64; ; ) References: <4D3DC94F.4020904@gmail.com> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2606419.NONHzENy2b"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201101242208.24039.m.klemenz@gmx.at> X-Y-GMX-Trusted: 0 X-Archives-Salt: X-Archives-Hash: c178b3d5a5597e527c02f87b4c41c750 --nextPart2606419.NONHzENy2b Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Monday 24 January 2011 19:59:16 Mark Knecht wrote: > On Mon, Jan 24, 2011 at 10:47 AM, Jarry wrote: > > Hi, > >=20 > > I have to change rather complex iptables rules on server > > and I do not want to lock me out as this server is about > > 50 miles away. So how should I do it? > >=20 > > I can back up the old rules by running: > > /etc/init.d/iptables save > > and it will be saved to /var/lib/iptables/rules-save > > (some strange format starting with number like [536:119208]) > >=20 > > I prepared a script with new (modified) iptables-rules, > > which I will run in bash. But in case I screw something, > > how could I force netfilter to load old saved rules, > > if I for whatever reason do not connect to server (ssh)? > >=20 > > Or can I load new iptables-rules for certain time, and > > then force netfilter to load back the old rules again? > >=20 > > Jarry >=20 > Maybe a cron job that no matter what reloads the old rules 1 hour later? >=20 > - Mark another option woud be to setup and run a knock deamon (net-misc/knock), if= =20 that's an option for you. You'd have the advantage not being forced to wait= =20 for an hour (worst case). On the other hand you must make sure, that none o= f=20 the configured knocking ports are blocked in the infrastructure between you= and=20 the server.=20 =2D-=20 Cheers, Manuel Klemenz --nextPart2606419.NONHzENy2b Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iQEcBAABAgAGBQJNPepHAAoJEL8qBCSixTaFbzUIAJ73vIhZqQNWzvZekWvAjV3h hNzz4opQyvXEvPxkh4mvRvgOFcSo4+Lrcb2gM+rvJrz8j1Hmqu1JVijAG/Npo2+j GwEscVzuTopYDVzq3XeBlAYWStfgmhuOZ8+nZoJtKFohX4gHX6aMhpQvTWMemaDF aEdkoaepfciYOh9APNoj3jozBUSgMmfZTLtQo9R4ExydlZXSHq0vjEn3VxMM68U+ PG9VdDLu+W8ArdUXz3s31W6Yy7zgOf/u3MMPLxjx+K5VeAsEMLJno9flTHRoyKOS UhXHUJxamgVDXSe/gxCpRkta+g1PPmdhMm4bUFPvT2JEK/nQyEV2+/GnF9iW3ZA= =/bmK -----END PGP SIGNATURE----- --nextPart2606419.NONHzENy2b--