Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Not that I'm aware of. You could easily write a shell script to do that though. Simply have it start iptables then sleep 5 min and then flush the rules.
[ I am assuming the following scenario -- you have ssh access to a box that you admin, and you want to change firewall rules. You don't want to accidentally filter yourself out. Been there. ]
Along the same lines of the previous recommendation on handling this, here are two more:
You can make the very first rule in your INPUT chain to allow access to port 22 from your source IP. That way, even as you append (and possibly break) later rules in the chain, your first rule should still always allow you access.
While making any changes, you can first back up your current firewall script file to iptables-rules.orig. Next make your changes to the iptables-rules script. Then, before running your updated iptables-rules script, submit an at job that will run in 10 minutes. That at job will simply run the iptables-rules.orig script. If you really bork things good, the at job will save you. If your updated rules are ok, then just cancel the at job.
Hope those ideas are helpful. (To give credit, they're not my own ideas; they are both based on firewall management strategies I read in "Mastering FreeBSD and OpenBSD Security", by Yanek Korff, Paco Hope, Bruce Potter. No, I don't work for O'Reilly.)
[hector@troy ~]$ date
Mon Mar 5 08:45:35 CST 2007
[hector@troy ~]$ at -f iptables-rules.orig 09:45
job 2 at 2007-03-05 09:45
You can use the atrm command to remove it from the queue if you need to (and the atq command to identify the job number if needed).
See the manpages for at(1) for more info.
Note that you'll be running your at job as root, since it will need to be able to flush and set iptables rules. Make sure you test this process out before beginning your real firewall modifications.
You mean in your at job? Sure - that might be an ok solution too.
Just remember that your services may be vulnerable for the brief period of time the iptables rules are shut off / flushed.
Also, if you have a DROP policy for your chains, make sure that stopping the iptables services temporarily changes the policy/ies to ACCEPT. (Otherwise everything will be locked out.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.