From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PhRuv-00032v-PS for garchives@archives.gentoo.org; Mon, 24 Jan 2011 19:17:34 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 559B0E08A8; Mon, 24 Jan 2011 19:16:08 +0000 (UTC) Received: from mail-wy0-f181.google.com (mail-wy0-f181.google.com [74.125.82.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 0CF16E08A8 for ; Mon, 24 Jan 2011 19:16:07 +0000 (UTC) Received: by wyf22 with SMTP id 22so5968197wyf.40 for ; Mon, 24 Jan 2011 11:16:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=rKkPZ9TRmywsZpvftxL35jHNVKayA2ROIcf5FcLtoqc=; b=BzjbKgMQz3c5G/L4XgAmU4fdZuvCx6wKi1lD+Mz6zXz8SDE52LWxq3kCzbFpIe8ENo zQSDCLoyashoF2SF2m1ulqVcf3K0VGQNUci9+HHqsP5yFZpeAgpuGG/KHFdCnYPrCkw1 jSRZnCdsUIKn2Q//ozH8nPtqI7s/V+F+5yKx0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=tE1RIm3wAeRv9Q9rZyP45+/PApWMeOg8s3tthkt0Gpwz+dbZtizlbw9sbGg3tF8F4F TEDtgdzt9SV/TDdASEh9FlBnmpGqKzD/XBonMDpLqfrxgGcZe0pVDgH/A1ABdUSYw++K rdsbAbVMc2XqUZt5e8mhxhW4UMZmlEbSMku2E= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.216.46.19 with SMTP id q19mr2870843web.0.1295896567234; Mon, 24 Jan 2011 11:16:07 -0800 (PST) Received: by 10.216.16.21 with HTTP; Mon, 24 Jan 2011 11:16:07 -0800 (PST) In-Reply-To: <4D3DCD99.1060808@badapple.net> References: <4D3DC94F.4020904@gmail.com> <4D3DCD99.1060808@badapple.net> Date: Mon, 24 Jan 2011 11:16:07 -0800 Message-ID: Subject: Re: [gentoo-user] modifying iptables: how can I prevent locking me out? From: Mark Knecht To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: e496c1aec7d7967d90be946583527057 On Mon, Jan 24, 2011 at 11:06 AM, kashani wrote= : > On 1/24/2011 10:59 AM, Mark Knecht wrote: >> >> On Mon, Jan 24, 2011 at 10:47 AM, Jarry =C2=A0wrote: >>> >>> Hi, >>> >>> I have to change rather complex iptables rules on server >>> and I do not want to lock me out as this server is about >>> 50 miles away. So how should I do it? >>> >>> I can back up the old rules by running: >>> /etc/init.d/iptables save >>> and it will be saved to /var/lib/iptables/rules-save >>> (some strange format starting with number like [536:119208]) >>> >>> I prepared a script with new (modified) iptables-rules, >>> which I will run in bash. But in case I screw something, >>> how could I force netfilter to load old saved rules, >>> if I for whatever reason do not connect to server (ssh)? >>> >>> Or can I load new iptables-rules for certain time, and >>> then force netfilter to load back the old rules again? >>> >>> Jarry >>> >> >> Maybe a cron job that no matter what reloads the old rules 1 hour later? >> >> - Mark >> > > Yep, that's the way I do it. I'd test that the cron works correctly > beforehand. Nothing worse than locking yourself out *and* realizing your > cron has a path issue. > > kashani Maybe first add a rule that won't lock yourself out. Install the new file, make sure the rule is there, then wait an hour. Make sure the rule is gone. Make sure the cron logs show the work was done. Go through a could of reboots and make sure the old rules (or new rules) come up. Once all that works going to the new, scary file should be lass scary. - Mark