Re: safety net when working on a dedicated server

On Thursday 22. June 2006 20:51, fabrulous@xxxxxxxx spake to
comp.os.linux.misc:

Hi Nephros,

nephros wrote:
...
How about the combination of the two approaches? Just flush the relevant
chain.

Set up a user-named chain and let all incoming packets first jump to
this. You cron job could then use something like
iptables -F mychain
iptables -X mychain
iptables -N mychain
iptables -A mychain -p tcp --dport 22 -s ${STATIC_IP} -j ACCEPT
iptables -A mychain -j RETURN
to recreate the rule every hour.

As you told, this is still rather fragile... So I had another idea:
create
a script that does just one thing, execute the following line:
iptables -I INPUT -p tcp --dport 22 -s $STATIC_IP -j ACCEPT
if and only if this is not already the first rule that iptables sees.
^^^^^^^^^^^^

what do you think about it? (it's not that much better that what
you're proposing, but it's "simpler" from iptables's point of vue: only a
single that gets inserted as the very first INPUT rule or not,

Yes it's basically the same approach, only difference I see really is that
your way puts more complexity in the scripting side (you will have to list,
grep/awk ... the iptables state), mine uses a slightly more complex
iptables setup but requires almost no scripting.

I don't think it's such a crazy idea or such a bad practice :-/

No but I think it fixes an issue that Should Never Arise (TM) when the
firewall "master" script is constructed carefully. Like, for example,
putting that ssh accept line directly below the one where you flush the old
and set default policies for the INPUT table.

Do all the fancy firewalling stuff after that area of the script (probably
in separate sh files sourced from the master) and never change the master
without thorough review.

Should be pretty hard to lock yourself out then.

will try it anyway (I'm not that much of a Un*x scripting guru though).
Good luck, and I'm sure scripting guruness isn't required for this ;)

nephros

--
"I do not think the way you think I think."
-- Kai, last of the Brunnen G
.

Relevant Pages

  • Re: safety net when working on a dedicated server
    ... line automatically on the dedicated server every hour or so: ... new iptables rule gets added... ... Set up a user-named chain and let all incoming packets first jump to this. ... iptables -F mychain ...
    (comp.os.linux.misc)
  • Re: safety net when working on a dedicated server
    ... Set up a user-named chain and let all incoming packets first jump to this. ... iptables -F mychain ... will try it anyway (I'm not that much of a Un*x scripting guru though). ...
    (comp.os.linux.misc)
  • Re: Help with Iptables on with RH linux
    ... iptables -P OUTPUT DROP ... INPUT only when packets have a destination IP of your firewall. ... the FORWARD chain contains rules that affect packets passing through ... Yes I flushed the rules before calling the script... ...
    (RedHat)
  • Re: some reality about iptables, please
    ... >>the script which can only be run by a root user. ... but it could re-inforce the fact that maybe running your iptables ... "I'm a packet filtering interface not a firewall tool." ... Generally Debian systems run at init runlevel 3 (this is a change if ...
    (Debian-User)
  • Re: IPTABLES Beginner Example Needed!
    ... after i runned this script nothing works on my computer. ... > I think i just need the translation to iptables. ... $MODPROBE ip_conntrack ... # FORWARD chain rules ...
    (linux.redhat)