Re: safety net when working on a dedicated server



On Thursday 22. June 2006 07:17, Keith Keller spake thusly to
comp.os.linux.misc,

On 2006-06-22, fabrulous@xxxxxxxx <fabrulous@xxxxxxxx> wrote:
I was thinking of an automated task executing the following
line automatically on the dedicated server every hour or so :

iptables -I INPUT -p tcp --dport 22 -s STATIC_IP -j ACCEPT

so even if I mess things badly, after maximum one hour I know
that this line will be executed and that I'll be able to connect
to the dedicated server once again (problem is every hour a
new iptables rule gets added... which will add after years of
uptime ;)

It seems better to me simply to re-run a script which resets your
firewall rules to a known good state. Something which flushes all
rules before implementing the rules you want would work okay, and
would avoid the problem of adding a rule every hour. Of course,
you need to know that the script (and any changes you make) really
don't prevent you from getting in. :)

How about the combination of the two approaches? Just flush the relevant
chain.

Set up a user-named chain and let all incoming packets first jump to this.
You cron job could then use something like
iptables -F mychain
iptables -X mychain
iptables -N mychain
iptables -A mychain -p tcp --dport 22 -s ${STATIC_IP} -j ACCEPT
iptables -A mychain -j RETURN
to recreate the rule every hour.

Of course, this is still rather fragile and the other suggestions in this
thread (serial or net console etc., also TESTING!) sound much better
suited.

Cheers,
nephros
--
"I do not think the way you think I think."
-- Kai, last of the Brunnen G
.