From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-119227-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1PhRlD-0001IP-6z
	for garchives@archives.gentoo.org; Mon, 24 Jan 2011 19:07:32 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id C9049E09E9;
	Mon, 24 Jan 2011 19:06:04 +0000 (UTC)
Received: from www01.badapple.net (www01.badapple.net [64.79.219.163])
	by pigeon.gentoo.org (Postfix) with ESMTP id A3E95E09E9
	for <gentoo-user@lists.gentoo.org>; Mon, 24 Jan 2011 19:06:04 +0000 (UTC)
Received: from [127.0.0.1] (173-8-169-73-SFBA.hfc.comcastbusiness.net [173.8.169.73])
	(Authenticated sender: ramin@badapple.net)
	by www01.badapple.net (Postfix) with ESMTPSA id ECF93844E0B9
	for <gentoo-user@lists.gentoo.org>; Mon, 24 Jan 2011 11:06:03 -0800 (PST)
Message-ID: <4D3DCD99.1060808@badapple.net>
Date: Mon, 24 Jan 2011 11:06:01 -0800
From: kashani <kashani-list@badapple.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] modifying iptables: how can I prevent locking me
 out?
References: <4D3DC94F.4020904@gmail.com> <AANLkTin98-=p88PHnB+n_+nHgBbKxC4BAwxcoQTTV6eE@mail.gmail.com>
In-Reply-To: <AANLkTin98-=p88PHnB+n_+nHgBbKxC4BAwxcoQTTV6eE@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 
X-Archives-Hash: f642bc3c49c31f739d51788cc33ef92f

On 1/24/2011 10:59 AM, Mark Knecht wrote:
> On Mon, Jan 24, 2011 at 10:47 AM, Jarry<mr.jarry@gmail.com>  wrote:
>> Hi,
>>
>> I have to change rather complex iptables rules on server
>> and I do not want to lock me out as this server is about
>> 50 miles away. So how should I do it?
>>
>> I can back up the old rules by running:
>> /etc/init.d/iptables save
>> and it will be saved to /var/lib/iptables/rules-save
>> (some strange format starting with number like [536:119208])
>>
>> I prepared a script with new (modified) iptables-rules,
>> which I will run in bash. But in case I screw something,
>> how could I force netfilter to load old saved rules,
>> if I for whatever reason do not connect to server (ssh)?
>>
>> Or can I load new iptables-rules for certain time, and
>> then force netfilter to load back the old rules again?
>>
>> Jarry
>>
>
> Maybe a cron job that no matter what reloads the old rules 1 hour later?
>
> - Mark
>

Yep, that's the way I do it. I'd test that the cron works correctly 
beforehand. Nothing worse than locking yourself out *and* realizing your 
cron has a path issue.

kashani