iptables test mode

walidaly · 03-04-2007, 06:46 AM

is there a way to start iptables in test mode so it stops after 5 min or so ?

Capt_Caveman · 03-04-2007, 10:40 AM

Not that I'm aware of. You could easily write a shell script to do that though. Simply have it start iptables then sleep 5 min and then flush the rules.

walidaly · 03-04-2007, 11:00 AM

I use a crontab but I thought there would be other way. did you mean perl script or bash script?

Capt_Caveman · 03-04-2007, 11:06 AM

You could write it in whatever scripting language you like (I'd probably use bash). Cron would work as well but it would be a little less flexible.

anomie · 03-04-2007, 12:01 PM

[ I am assuming the following scenario -- you have ssh access to a box that you admin, and you want to change firewall rules. You don't want to accidentally filter yourself out. Been there. ]

Along the same lines of the previous recommendation on handling this, here are two more:

You can make the very first rule in your INPUT chain to allow access to port 22 from your source IP. That way, even as you append (and possibly break) later rules in the chain, your first rule should still always allow you access.
While making any changes, you can first back up your current firewall script file to iptables-rules.orig. Next make your changes to the iptables-rules script. Then, before running your updated iptables-rules script, submit an at job that will run in 10 minutes. That at job will simply run the iptables-rules.orig script. If you really bork things good, the at job will save you. If your updated rules are ok, then just cancel the at job.

Hope those ideas are helpful. (To give credit, they're not my own ideas; they are both based on firewall management strategies I read in "Mastering FreeBSD and OpenBSD Security", by Yanek Korff, Paco Hope, Bruce Potter. No, I don't work for O'Reilly.)

walidaly · 03-05-2007, 03:39 AM

yes anomie, these are simple but very helpful ideas too..thank you
can you give me a sample of the command which sets the at job?

anomie · 03-05-2007, 08:47 AM

Example:

Code:

[hector@troy ~]$ date
Mon Mar  5 08:45:35 CST 2007
[hector@troy ~]$ at -f iptables-rules.orig 09:45
job 2 at 2007-03-05 09:45

You can use the atrm command to remove it from the queue if you need to (and the atq command to identify the job number if needed).

See the manpages for at(1) for more info.

Note that you'll be running your at job as root, since it will need to be able to flush and set iptables rules. Make sure you test this process out before beginning your real firewall modifications.

walidaly · 03-06-2007, 01:57 AM

can I stop the iptables service completely instead

anomie · 03-06-2007, 10:42 AM

You mean in your at job? Sure - that might be an ok solution too.

Just remember that your services may be vulnerable for the brief period of time the iptables rules are shut off / flushed.

Also, if you have a DROP policy for your chains, make sure that stopping the iptables services temporarily changes the policy/ies to ACCEPT. (Otherwise everything will be locked out.)

walidaly · 03-07-2007, 12:05 AM

I edit iptables manually so service doesn't flush the rules, will the command be like
at -f service iptables stop 09:45

anomie · 03-07-2007, 09:11 AM

Check the manpages for at(1). The -f option is when you're providing a command file (as opposed to telling it to read from stdin).

In your case I would use:

Code:

# echo '/etc/init.d/iptables stop' | at 09:45

or create a command file doing the same thing.

Again, make sure this is doing what you would expect before you start changing firewall rules. (Test your "bailout" job in advance.)

walidaly · 03-07-2007, 11:54 PM

that did it! Thanks again