From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PhUyY-0007Aw-Ku for garchives@archives.gentoo.org; Mon, 24 Jan 2011 22:33:30 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AB090E0AA9; Mon, 24 Jan 2011 22:30:35 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 5C643E0AA9 for ; Mon, 24 Jan 2011 22:30:35 +0000 (UTC) Received: by wwi18 with SMTP id 18so4509319wwi.10 for ; Mon, 24 Jan 2011 14:30:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:from:to:subject:date:user-agent:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=auDovBxdjYmwRjilQB4iaoTuFQ5REeNhnfREgOjYqec=; b=hEQsWp+jN1L+CVskfe/fztSBAyNWrG2uUnBNvG/LFyuSFYxx0xM5MyVQQIccM1TwEB kqFlV91GYZnWsUovOJqQFzT26FmI0Ds9FG+Xr8pp1xeD/0085kmH/hn5eNH9ILMJVD0f LitHQHaBatuM5EpBQMj94E0dbEJRaPZJXZDzI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:message-id; b=NppNXK2LlZOBFZvpRIeul8Br4xNoGZ1t7RSB1ImjPVtqpTh7+r1yJ6cdj4YvuZA0SO onXfPaXi6egOL0suCJUUqPuy/Ci+08bbb8u3KxqhtQXN0TpGfKAhtPPIoWXZ85KyCywY 1mF5WgfUzB8L68WaQbxQEk9bfJeiwFve7rO3Y= Received: by 10.227.143.73 with SMTP id t9mr5115389wbu.147.1295908234629; Mon, 24 Jan 2011 14:30:34 -0800 (PST) Received: from nazgul.localnet (196-215-42-107.dynamic.isadsl.co.za [196.215.42.107]) by mx.google.com with ESMTPS id m13sm9645193wbz.9.2011.01.24.14.30.33 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 24 Jan 2011 14:30:34 -0800 (PST) From: Alan McKinnon To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] modifying iptables: how can I prevent locking me out? Date: Tue, 25 Jan 2011 00:31:06 +0200 User-Agent: KMail/1.13.5 (Linux/2.6.37-ck; KDE/4.5.5; x86_64; ; ) References: <4D3DC94F.4020904@gmail.com> <201101242240.35818.joost@antarean.org> In-Reply-To: <201101242240.35818.joost@antarean.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <201101250031.06990.alan.mckinnon@gmail.com> X-Archives-Salt: X-Archives-Hash: c338e8ac5882581f4736476cf0d5e765 Apparently, though unproven, at 23:40 on Monday 24 January 2011, J. Roeleveld did opine thusly: > On Monday 24 January 2011 19:47:43 Jarry wrote: > > Hi, > > > > I have to change rather complex iptables rules on server > > and I do not want to lock me out as this server is about > > 50 miles away. So how should I do it? > > > > I can back up the old rules by running: > > /etc/init.d/iptables save > > and it will be saved to /var/lib/iptables/rules-save > > (some strange format starting with number like [536:119208]) > > > > I prepared a script with new (modified) iptables-rules, > > which I will run in bash. But in case I screw something, > > how could I force netfilter to load old saved rules, > > if I for whatever reason do not connect to server (ssh)? > > > > Or can I load new iptables-rules for certain time, and > > then force netfilter to load back the old rules again? > > > > Jarry > > You could add the necessary rule(s) to ensure existing connections stay > active. > That way you can enable the new rules and test by openening a new SSH- > connection to the server. > If that works, you're ok. > If not, you can use the existing SSH-connection to go back to the old > rules. It's no help to the OP now, but around here we have a rule: Remote servers without a DRAC do not get installed. Period. -- alan dot mckinnon at gmail dot com