[gentoo-user] modifying iptables: how can I prevent locking me out?

[gentoo-user] modifying iptables: how can I prevent locking me out?

[Jarry]

Hi,

I have to change rather complex iptables rules on server
and I do not want to lock me out as this server is about
50 miles away. So how should I do it?

I can back up the old rules by running:
/etc/init.d/iptables save
and it will be saved to /var/lib/iptables/rules-save
(some strange format starting with number like [536:119208])

I prepared a script with new (modified) iptables-rules,
which I will run in bash. But in case I screw something,
how could I force netfilter to load old saved rules,
if I for whatever reason do not connect to server (ssh)?

Or can I load new iptables-rules for certain time, and
then force netfilter to load back the old rules again?

Jarry

-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Mark Knecht]

On Mon, Jan 24, 2011 at 10:47 AM, Jarry <mr.jarry@gmail.com> wrote:
> Hi,
>
> I have to change rather complex iptables rules on server
> and I do not want to lock me out as this server is about
> 50 miles away. So how should I do it?
>
> I can back up the old rules by running:
> /etc/init.d/iptables save
> and it will be saved to /var/lib/iptables/rules-save
> (some strange format starting with number like [536:119208])
>
> I prepared a script with new (modified) iptables-rules,
> which I will run in bash. But in case I screw something,
> how could I force netfilter to load old saved rules,
> if I for whatever reason do not connect to server (ssh)?
>
> Or can I load new iptables-rules for certain time, and
> then force netfilter to load back the old rules again?
>
> Jarry
>

Maybe a cron job that no matter what reloads the old rules 1 hour later?

- Mark

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[kashani]

On 1/24/2011 10:59 AM, Mark Knecht wrote:
> On Mon, Jan 24, 2011 at 10:47 AM, Jarry<mr.jarry@gmail.com>  wrote:
>> Hi,
>>
>> I have to change rather complex iptables rules on server
>> and I do not want to lock me out as this server is about
>> 50 miles away. So how should I do it?
>>
>> I can back up the old rules by running:
>> /etc/init.d/iptables save
>> and it will be saved to /var/lib/iptables/rules-save
>> (some strange format starting with number like [536:119208])
>>
>> I prepared a script with new (modified) iptables-rules,
>> which I will run in bash. But in case I screw something,
>> how could I force netfilter to load old saved rules,
>> if I for whatever reason do not connect to server (ssh)?
>>
>> Or can I load new iptables-rules for certain time, and
>> then force netfilter to load back the old rules again?
>>
>> Jarry
>>
>
> Maybe a cron job that no matter what reloads the old rules 1 hour later?
>
> - Mark
>

Yep, that's the way I do it. I'd test that the cron works correctly 
beforehand. Nothing worse than locking yourself out *and* realizing your 
cron has a path issue.

kashani

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Mark Knecht]

On Mon, Jan 24, 2011 at 11:06 AM, kashani <kashani-list@badapple.net> wrote:
> On 1/24/2011 10:59 AM, Mark Knecht wrote:
>>
>> On Mon, Jan 24, 2011 at 10:47 AM, Jarry<mr.jarry@gmail.com>  wrote:
>>>
>>> Hi,
>>>
>>> I have to change rather complex iptables rules on server
>>> and I do not want to lock me out as this server is about
>>> 50 miles away. So how should I do it?
>>>
>>> I can back up the old rules by running:
>>> /etc/init.d/iptables save
>>> and it will be saved to /var/lib/iptables/rules-save
>>> (some strange format starting with number like [536:119208])
>>>
>>> I prepared a script with new (modified) iptables-rules,
>>> which I will run in bash. But in case I screw something,
>>> how could I force netfilter to load old saved rules,
>>> if I for whatever reason do not connect to server (ssh)?
>>>
>>> Or can I load new iptables-rules for certain time, and
>>> then force netfilter to load back the old rules again?
>>>
>>> Jarry
>>>
>>
>> Maybe a cron job that no matter what reloads the old rules 1 hour later?
>>
>> - Mark
>>
>
> Yep, that's the way I do it. I'd test that the cron works correctly
> beforehand. Nothing worse than locking yourself out *and* realizing your
> cron has a path issue.
>
> kashani

Maybe first add a rule that won't lock yourself out. Install the new
file, make sure the rule is there, then wait an hour. Make sure the
rule is gone. Make sure the cron logs show the work was done. Go
through a could of reboots and make sure the old rules (or new rules)
come up.

Once all that works going to the new, scary file should be lass scary.

- Mark

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Manuel Klemenz]

[-- Attachment #1: Type: Text/Plain, Size: 1365 bytes --]

On Monday 24 January 2011 19:59:16 Mark Knecht wrote:
> On Mon, Jan 24, 2011 at 10:47 AM, Jarry <mr.jarry@gmail.com> wrote:
> > Hi,
> > 
> > I have to change rather complex iptables rules on server
> > and I do not want to lock me out as this server is about
> > 50 miles away. So how should I do it?
> > 
> > I can back up the old rules by running:
> > /etc/init.d/iptables save
> > and it will be saved to /var/lib/iptables/rules-save
> > (some strange format starting with number like [536:119208])
> > 
> > I prepared a script with new (modified) iptables-rules,
> > which I will run in bash. But in case I screw something,
> > how could I force netfilter to load old saved rules,
> > if I for whatever reason do not connect to server (ssh)?
> > 
> > Or can I load new iptables-rules for certain time, and
> > then force netfilter to load back the old rules again?
> > 
> > Jarry
> 
> Maybe a cron job that no matter what reloads the old rules 1 hour later?
> 
> - Mark

another option woud be to setup and run a knock deamon (net-misc/knock), if 
that's an option for you. You'd have the advantage not being forced to wait 
for an hour (worst case). On the other hand you must make sure, that none of 
the configured knocking ports are blocked in the infrastructure between you and 
the server. 

-- 
Cheers,
Manuel Klemenz

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[J. Roeleveld]

On Monday 24 January 2011 19:47:43 Jarry wrote:
> Hi,
> 
> I have to change rather complex iptables rules on server
> and I do not want to lock me out as this server is about
> 50 miles away. So how should I do it?
> 
> I can back up the old rules by running:
> /etc/init.d/iptables save
> and it will be saved to /var/lib/iptables/rules-save
> (some strange format starting with number like [536:119208])
> 
> I prepared a script with new (modified) iptables-rules,
> which I will run in bash. But in case I screw something,
> how could I force netfilter to load old saved rules,
> if I for whatever reason do not connect to server (ssh)?
> 
> Or can I load new iptables-rules for certain time, and
> then force netfilter to load back the old rules again?
> 
> Jarry

You could add the necessary rule(s) to ensure existing connections stay 
active.
That way you can enable the new rules and test by openening a new SSH-
connection to the server.
If that works, you're ok.
If not, you can use the existing SSH-connection to go back to the old rules.

--
Joost

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 451 bytes --]

On Mon, 24 Jan 2011 10:59:16 -0800, Mark Knecht wrote:

> Maybe a cron job that no matter what reloads the old rules 1 hour later?

Wouldn't at make more sense? You don't want the thing to keep reloading
your old config, at will do it once, and you can remove the task from the
at queue once you successfully log back in.

echo "command to reload old rules" | at now + 1 hour


-- 
Neil Bothwick

Tact is the intelligence of the heart.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Mark Knecht]

On Mon, Jan 24, 2011 at 1:50 PM, Neil Bothwick <neil@digimed.co.uk> wrote:
> On Mon, 24 Jan 2011 10:59:16 -0800, Mark Knecht wrote:
>
>> Maybe a cron job that no matter what reloads the old rules 1 hour later?
>
> Wouldn't at make more sense? You don't want the thing to keep reloading
> your old config, at will do it once, and you can remove the task from the
> at queue once you successfully log back in.
>
> echo "command to reload old rules" | at now + 1 hour
>
>
> --
> Neil Bothwick

As a one-off test absolutely.

- Mark

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Mark Knecht]

On Mon, Jan 24, 2011 at 2:14 PM, Mark Knecht <markknecht@gmail.com> wrote:
> On Mon, Jan 24, 2011 at 1:50 PM, Neil Bothwick <neil@digimed.co.uk> wrote:
>> On Mon, 24 Jan 2011 10:59:16 -0800, Mark Knecht wrote:
>>
>>> Maybe a cron job that no matter what reloads the old rules 1 hour later?
>>
>> Wouldn't at make more sense? You don't want the thing to keep reloading
>> your old config, at will do it once, and you can remove the task from the
>> at queue once you successfully log back in.
>>
>> echo "command to reload old rules" | at now + 1 hour
>>
>>
>> --
>> Neil Bothwick
>
> As a one-off test absolutely.
>

Actually, upon 15 seconds of reflection, what happens if he's locked
out and there's a power failure before the at command executes? When
rebooted I think it won't be there anymore, will it?

- Mark

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Alex Schuster]

Neil Bothwick writes:

> On Mon, 24 Jan 2011 10:59:16 -0800, Mark Knecht wrote:
> 
>> Maybe a cron job that no matter what reloads the old rules 1 hour later?
> 
> Wouldn't at make more sense? You don't want the thing to keep reloading
> your old config, at will do it once, and you can remove the task from the
> at queue once you successfully log back in.
> 
> echo "command to reload old rules" | at now + 1 hour

I usually do a
	sleep 10m && restore the state
in a screen session. If things are okay and I can login, I re-attach the
screen and cancel the sleep with Ctrl-C. If I cannot login, I have to
wait 10 minutes.

	Wonko

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Alan McKinnon]

Apparently, though unproven, at 00:14 on Tuesday 25 January 2011, Mark Knecht 
did opine thusly:

> On Mon, Jan 24, 2011 at 1:50 PM, Neil Bothwick <neil@digimed.co.uk> wrote:
> > On Mon, 24 Jan 2011 10:59:16 -0800, Mark Knecht wrote:
> >> Maybe a cron job that no matter what reloads the old rules 1 hour later?
> > 
> > Wouldn't at make more sense? You don't want the thing to keep reloading
> > your old config, at will do it once, and you can remove the task from the
> > at queue once you successfully log back in.
> > 
> > echo "command to reload old rules" | at now + 1 hour
> > 
> > 
> > --
> > Neil Bothwick
> 
> As a one-off test absolutely.


There's no such thing as a once-off test :-)

"Oh shit, it's still not working after 19 retries, 6 hours work, and extensive 
googling" most definitely does exist.

Maybe I'm just paranoid, or maybe I just screwed up myself too many times, but 
I'd feel safer with cron for this. Cancelling it when done is equally easy 
whether cron or at


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Alan McKinnon]

Apparently, though unproven, at 23:40 on Monday 24 January 2011, J. Roeleveld 
did opine thusly:

> On Monday 24 January 2011 19:47:43 Jarry wrote:
> > Hi,
> > 
> > I have to change rather complex iptables rules on server
> > and I do not want to lock me out as this server is about
> > 50 miles away. So how should I do it?
> > 
> > I can back up the old rules by running:
> > /etc/init.d/iptables save
> > and it will be saved to /var/lib/iptables/rules-save
> > (some strange format starting with number like [536:119208])
> > 
> > I prepared a script with new (modified) iptables-rules,
> > which I will run in bash. But in case I screw something,
> > how could I force netfilter to load old saved rules,
> > if I for whatever reason do not connect to server (ssh)?
> > 
> > Or can I load new iptables-rules for certain time, and
> > then force netfilter to load back the old rules again?
> > 
> > Jarry
> 
> You could add the necessary rule(s) to ensure existing connections stay
> active.
> That way you can enable the new rules and test by openening a new SSH-
> connection to the server.
> If that works, you're ok.
> If not, you can use the existing SSH-connection to go back to the old
> rules.

It's no help to the OP now, but around here we have a rule:

Remote servers without a DRAC do not get installed. Period.


-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 926 bytes --]

On Tue, 25 Jan 2011 00:28:32 +0200, Alan McKinnon wrote:

> Maybe I'm just paranoid, or maybe I just screwed up myself too many
> times, but I'd feel safer with cron for this. Cancelling it when done
> is equally easy whether cron or at

But to cancel the cron job, you'd have to edit crontab, then you'd have
to remember to restore the crontab before trying another rule.

I'd use a script to
  Backup working rules
  Set up at (or cron if you prefer extra work) to restore old rules
  Load new rules

Otherwise, the one time you forget to schedule a return to the old rules
in the one time you lock yourself out.


-- 
Neil Bothwick

I have seen things you lusers would not believe.
I've seen Sun monitors on fire off the side of the multimedia lab.
I've seen NTU lights glitter in the dark near the Mail Gate.
All these things will be lost in time, like the root partition last
week. Time to die.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 340 bytes --]

On Mon, 24 Jan 2011 14:16:15 -0800, Mark Knecht wrote:

> Actually, upon 15 seconds of reflection, what happens if he's locked
> out and there's a power failure before the at command executes? When
> rebooted I think it won't be there anymore, will it?

It will.


-- 
Neil Bothwick

DCE seeks DTE for mutual exchange of data.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 432 bytes --]

On Tuesday 25 January 2011 10:25:32 Neil Bothwick wrote:
> On Mon, 24 Jan 2011 14:16:15 -0800, Mark Knecht wrote:
> > Actually, upon 15 seconds of reflection, what happens if he's locked
> > out and there's a power failure before the at command executes? When
> > rebooted I think it won't be there anymore, will it?
> 
> It will.

As long as he hasn't first saved the rule set that locked him out ...
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] modifying iptables: how can I prevent locking me out?

[Jarry]

>> Maybe a cron job that no matter what reloads the old rules 1 hour later?
> Wouldn't at make more sense?

Thanks to all who replied. So first I saved my working rules with
# /sbin/iptables-save -c > /root/ipt.bak

Then I created my command file:
# echo '#!/bin/bash' > /root/ipt-restore
# echo '/sbin/iptables-restore -c < /root/ipt.bak' >> /root/ipt-restore
# chmod 0700 /root/ipt-restore

Now I'm going to set up my restore-job:
# at -f /root/ipt-restore now + 60 min

And after that I will play a little with iptables-rules, hoping that
at-job will save my a** if I screw something...

Jarry

-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.