From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PhUAt-0006n3-Bi for garchives@archives.gentoo.org; Mon, 24 Jan 2011 21:42:11 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 214CBE08D6; Mon, 24 Jan 2011 21:40:43 +0000 (UTC) Received: from smtpq1.gn.mail.iss.as9143.net (smtpq1.gn.mail.iss.as9143.net [212.54.34.164]) by pigeon.gentoo.org (Postfix) with ESMTP id D9C53E08D6 for ; Mon, 24 Jan 2011 21:40:42 +0000 (UTC) Received: from [212.54.34.142] (helo=smtp11.gn.mail.iss.as9143.net) by smtpq1.gn.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1PhU9S-0005S2-2s for gentoo-user@lists.gentoo.org; Mon, 24 Jan 2011 22:40:42 +0100 Received: from 5ed3454e.cm-7-4b.dynamic.ziggo.nl ([94.211.69.78] helo=data.antarean.org) by smtp11.gn.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1PhU9N-0007bX-Qs for gentoo-user@lists.gentoo.org; Mon, 24 Jan 2011 22:40:37 +0100 Received: from localhost (localhost [127.0.0.1]) by data.antarean.org (Postfix) with ESMTP id AC6A91FAC for ; Mon, 24 Jan 2011 22:42:26 +0100 (CET) X-Virus-Scanned: amavisd-new at antarean.org Received: from data.antarean.org ([127.0.0.1]) by localhost (data.antarean.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uCEKOaK05-bv for ; Mon, 24 Jan 2011 22:42:26 +0100 (CET) Received: from eve.localnet (eve.lan.antarean.org [10.20.13.50]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by data.antarean.org (Postfix) with ESMTPS id 0106B174C for ; Mon, 24 Jan 2011 22:42:25 +0100 (CET) From: "J. Roeleveld" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] modifying iptables: how can I prevent locking me out? Date: Mon, 24 Jan 2011 22:40:35 +0100 User-Agent: KMail/1.13.5 (Linux/2.6.30-gentoo-r5; KDE/4.4.5; x86_64; ; ) References: <4D3DC94F.4020904@gmail.com> In-Reply-To: <4D3DC94F.4020904@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201101242240.35818.joost@antarean.org> X-ZiggoSMTP-MailScanner-Information: Please contact the ISP for more information X-ZiggoSMTP-MailScanner-ID: 1PhU9N-0007bX-Qs X-ZiggoSMTP-MailScanner: Found to be clean X-ZiggoSMTP-MailScanner-SpamCheck: geen spam, SpamAssassin (niet cached, score=-0.928, vereist 5, BAYES_00 -1.90, RDNS_DYNAMIC 0.98, T_RP_MATCHES_RCVD -0.01) X-ZiggoSMTP-MailScanner-From: joost@antarean.org X-Spam-Status: No X-Archives-Salt: X-Archives-Hash: e3d7dc221669c85bcfc880917e1d4321 On Monday 24 January 2011 19:47:43 Jarry wrote: > Hi, > > I have to change rather complex iptables rules on server > and I do not want to lock me out as this server is about > 50 miles away. So how should I do it? > > I can back up the old rules by running: > /etc/init.d/iptables save > and it will be saved to /var/lib/iptables/rules-save > (some strange format starting with number like [536:119208]) > > I prepared a script with new (modified) iptables-rules, > which I will run in bash. But in case I screw something, > how could I force netfilter to load old saved rules, > if I for whatever reason do not connect to server (ssh)? > > Or can I load new iptables-rules for certain time, and > then force netfilter to load back the old rules again? > > Jarry You could add the necessary rule(s) to ensure existing connections stay active. That way you can enable the new rules and test by openening a new SSH- connection to the server. If that works, you're ok. If not, you can use the existing SSH-connection to go back to the old rules. -- Joost