LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 03-04-2007, 06:46 AM   #1
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Rep: Reputation: 15
iptables test mode


is there a way to start iptables in test mode so it stops after 5 min or so ?
 
Old 03-04-2007, 10:40 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Not that I'm aware of. You could easily write a shell script to do that though. Simply have it start iptables then sleep 5 min and then flush the rules.
 
Old 03-04-2007, 11:00 AM   #3
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
I use a crontab but I thought there would be other way. did you mean perl script or bash script?
 
Old 03-04-2007, 11:06 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You could write it in whatever scripting language you like (I'd probably use bash). Cron would work as well but it would be a little less flexible.
 
Old 03-04-2007, 12:01 PM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, FreeBSD
Posts: 3,925
Blog Entries: 5

Rep: Reputation: Disabled
[ I am assuming the following scenario -- you have ssh access to a box that you admin, and you want to change firewall rules. You don't want to accidentally filter yourself out. Been there. ]

Along the same lines of the previous recommendation on handling this, here are two more:
  • You can make the very first rule in your INPUT chain to allow access to port 22 from your source IP. That way, even as you append (and possibly break) later rules in the chain, your first rule should still always allow you access.
  • While making any changes, you can first back up your current firewall script file to iptables-rules.orig. Next make your changes to the iptables-rules script. Then, before running your updated iptables-rules script, submit an at job that will run in 10 minutes. That at job will simply run the iptables-rules.orig script. If you really bork things good, the at job will save you. If your updated rules are ok, then just cancel the at job.

Hope those ideas are helpful. (To give credit, they're not my own ideas; they are both based on firewall management strategies I read in "Mastering FreeBSD and OpenBSD Security", by Yanek Korff, Paco Hope, Bruce Potter. No, I don't work for O'Reilly.)
 
Old 03-05-2007, 03:39 AM   #6
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
yes anomie, these are simple but very helpful ideas too..thank you
can you give me a sample of the command which sets the at job?
 
Old 03-05-2007, 08:47 AM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, FreeBSD
Posts: 3,925
Blog Entries: 5

Rep: Reputation: Disabled
Example:
Code:
[hector@troy ~]$ date
Mon Mar  5 08:45:35 CST 2007
[hector@troy ~]$ at -f iptables-rules.orig 09:45
job 2 at 2007-03-05 09:45
You can use the atrm command to remove it from the queue if you need to (and the atq command to identify the job number if needed).

See the manpages for at(1) for more info.

Note that you'll be running your at job as root, since it will need to be able to flush and set iptables rules. Make sure you test this process out before beginning your real firewall modifications.
 
Old 03-06-2007, 01:57 AM   #8
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
can I stop the iptables service completely instead
 
Old 03-06-2007, 10:42 AM   #9
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, FreeBSD
Posts: 3,925
Blog Entries: 5

Rep: Reputation: Disabled
You mean in your at job? Sure - that might be an ok solution too.

Just remember that your services may be vulnerable for the brief period of time the iptables rules are shut off / flushed.

Also, if you have a DROP policy for your chains, make sure that stopping the iptables services temporarily changes the policy/ies to ACCEPT. (Otherwise everything will be locked out.)
 
Old 03-07-2007, 12:05 AM   #10
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
I edit iptables manually so service doesn't flush the rules, will the command be like
at -f service iptables stop 09:45
 
Old 03-07-2007, 09:11 AM   #11
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, FreeBSD
Posts: 3,925
Blog Entries: 5

Rep: Reputation: Disabled
Check the manpages for at(1). The -f option is when you're providing a command file (as opposed to telling it to read from stdin).

In your case I would use:
Code:
# echo '/etc/init.d/iptables stop' | at 09:45
or create a command file doing the same thing.

Again, make sure this is doing what you would expect before you start changing firewall rules. (Test your "bailout" job in advance.)
 
Old 03-07-2007, 11:54 PM   #12
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
that did it! Thanks again
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to change test sizze or character size in run level 3 in text mode? betrussell23 Linux - Newbie 1 10-13-2006 04:23 AM
Is there any way to run rescue mode in test mode. kadhiravan.r Linux - General 2 07-13-2006 08:11 AM
Iptables in promiscuous mode Barzan Linux - Networking 3 10-23-2005 07:24 AM
IPTables in Stealth mode bentman78 Linux - Networking 1 04-06-2004 03:43 PM
Fedora Core Test 2; iptables; recent module; missing libipt_recent.so GMcFall Red Hat 3 10-20-2003 03:59 PM


All times are GMT -5. The time now is 01:34 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration