iptables -f locks me out
This is a discussion on iptables -f locks me out within the Linux Networking forums, part of the Linux Forums category; Hey, Is there anyway around this? It never used to happen with ipchains... Whenever I run iptables -F, when I ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-18-2003
|
|||
|
|||
iptables -f locks me out
Hey,
Is there anyway around this? It never used to happen with ipchains... Whenever I run iptables -F, when I stop my shorewall script (or if there is an error in the config file, and it stops itself.) it completely locks me out of remote access and I have to call up my admin and have him drive 15 miles to the site and reboot the machine. It's really annoying. Eric 
|
|
10-19-2003
|
|||
|
|||
|
Re: iptables -f locks me out
On Sat, 18 Oct 2003 15:10:21 -0400,
Eric Gibson <aithien@bellsouth.net> wrote: > > Is there anyway around this? It never used to happen with > ipchains... Whenever I run iptables -F, when I stop my shorewall > script (or if there is an error in the config file, and it stops > itself.) it completely locks me out of remote access and I have > to call up my admin and have him drive 15 miles to the site and > reboot the machine. You pay an admin to reboot the machine, I thought the object was to avoid needing to reboot. The Admin is the one that should be playing with the firewall anyway. Well, I don't know firewalls that well, but at a guess, default rules deny outside requests, so when you flush you aren't allowed in. Either remove the rules manually, and leave the ones you need, or write a script (to be run nohup) that flushes the rules and adds the ones required for you to connect (remember it needs to be on your server.) I don't know if you can modify the default rules to include what you need to connect. You could probably change the default to accept all connections, but then you'd need to completely rewrite your rules, probably not recommended. Or you could simply reboot the machine to flush the rules (yes, it's lame, but it would work.) Michael C. -- mcsuper5@usol.com http://mcsuper5.freeshell.org/ Registered Linux User #303915 http://counter.li.org/
|
|
10-19-2003
|
|||
|
|||
|
Re: iptables -f locks me out
Eric Gibson's <Gcgkb.7670$ft2.5352@bignews3.bellsouth.net> on Saturday 18
October 2003 12:10 pm in %group contained all or some of: > Hey, > > Is there anyway around this? It never used to happen with ipchains... > Whenever I > run iptables -F, when I stop my shorewall script (or if there is an error > in the config file, and it stops itself.) it completely locks me out of > remote access and I have to call up my admin and have him drive 15 miles > to the site and reboot the machine. > > It's really annoying. > > Eric If you were really altering the iptables rules, rebooting still would not allow you access because the firewall would come back up in the reconfigured state. I had not heard the word "shorewall" before. A quick Google and scan of the FAQ and this is what I found. Without reading it further I can only guess that you might investigate the /etc/shorewall/routestopped properties. From the ( http://www.shorewall.net/FAQ.htm#faq7 )shorewall FAQ: 7. When I stop Shorewall using 'shorewall stop', I can't connect to anything. Why doesn't that command work? The 'stop' command is intended to place your firewall into a safe state whereby only those hosts listed in /etc/shorewall/routestopped' are activated. If you want to totally open up your firewall, you must use the 'shorewall clear' command.
|
|
10-19-2003
|
|||
|
|||
|
Re: iptables -f locks me out
> Is there anyway around this? It never used to happen with
> ipchains... Whenever I > run iptables -F, when I stop my shorewall script (or if there is an > error in the config file, and it stops itself.) it completely locks me > out of remote access and I have to call up my admin and have him drive > 15 miles to the site and reboot the machine. For remote servers I look after, the solution I've used is a cron script that will re-enable a "known good" firewall after an interval. So if I log in remotely and screw up the firewall, everything is reset after a period. When I'm satisfied with the new changes, I update the master script and the changes become the new known good default. -- Jem Berkes http://www.sysdesign.ca/
|
|
10-19-2003
|
|||
|
|||
|
Re: iptables -f locks me out
you can use some of the real good scripts .... here in
http://www.linuxguruz.com/iptables/ raqueeb hassan bunia, DRC
|
|
10-21-2003
|
|||
|
|||
|
Re: iptables -f locks me out
On Sat, 18 Oct 2003 15:10:21 -0400, "Eric Gibson"
<aithien@bellsouth.net> wrote: > Is there anyway around this? It never used to happen with ipchains... Whenever I >run iptables -F, when I stop my shorewall script (or if there is an error in the >config file, and it stops itself.) it completely locks me out of remote access and I >have to call up my admin and have him drive 15 miles to the site and reboot the >machine. Quick guess off the top of my head, you've got your default policy on the INPUT and/or OUTPUT chain to 'DROP'. You have then defined rules to allow only certain input, perhaps only on certain ports. Don't worry, this is a good thing! However, as soon as you do an 'iptables -F', you flush all of your rules and everything goes back to your default policy, ie to drop all packets coming in and/or out. The solution would be to change your default policy BEFORE your flush your tables. ie: iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -F The suggestion that another poster made to add a cron script to automatically reset your scripts to a known-good state is a very good idea as well.
|
Linear Mode
