How To Reset Linux Firewall Automatically While Testing Configuration With Remote Server Over SSH Session

by on July 6, 2008 · 9 comments· LAST UPDATED April 11, 2014

in , ,

I'd like to tell my Linux iptables firewall to flush out the current configuration every 5 minutes. This will help when I'm testing a new rules and configuration options. Some time I find myself locked out of my own remote server. How do I reset Linux firewall automatically without issuing hard reboot?

Tutorial details
DifficultyAdvanced (rss)
Root privilegesYes
RequirementsNone
Estimated completion time5m
You can easily flush out current configuration using iptables command and shell script combo. There is no built in option for this kind of settings. So you need to write a small shell script and call it from crontab file.

Create a firewall reset shell script

Create a /root/reset.fw script:

#!/bin/bash
# reset.fw - Reset firewall
# set x to 0 - No reset
# set x to 1 - Reset firewall
# ---------------------------------------------------------------------------------------------------------------
# Added support for IPV6 Firewall
# ---------------------------------------------------------------------------------------------------------------
# Written by Vivek Gite <vivek@nixcraft.com>
# ---------------------------------------------------------------------------------------------------------------
# You can copy / paste / redistribute this script under GPL version 2.0 or above
# =============================================================
x=1
 
# set to true if it is CentOS / RHEL / Fedora box
RHEL=false
 
### no need to edit below  ###
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
 
if [ "$x" == "1" ];
then
	if [ "$RHEL" == "true" ];
	then
	      # reset firewall using redhat script
		/etc/init.d/iptables stop
		/etc/init.d/ip6tables stop
	else
		# for all other Linux distro use following rules to reset firewall
		### reset ipv4 iptales ###
		$IPT -F
		$IPT -X
		$IPT -Z
		for table in $(</proc/net/ip_tables_names)
		do
			$IPT -t $table -F
			$IPT -t $table -X
			$IPT -t $table -Z
		done
		$IPT -P INPUT ACCEPT
		$IPT -P OUTPUT ACCEPT
		$IPT -P FORWARD ACCEPT
		### reset ipv6 iptales ###
		$IPT6 -F
		$IPT6 -X
		$IPT6 -Z
		for table in $(</proc/net/ip6_tables_names)
		do
			$IPT6 -t $table -F
			$IPT6 -t $table -X
			$IPT6 -t $table -Z
		done
		$IPT6 -P INPUT ACCEPT
		$IPT6 -P OUTPUT ACCEPT
		$IPT6 -P FORWARD ACCEPT
	fi
else
        :
fi

Set permissions:
# chmod +x /root/reset.fw
Create cronjon to reset current configuration every 5 minutes, enter
# crontab -e
OR
# vi /etc/crontab
Append following settings:
*/5 * * * * root /root/reset.fw >/dev/null 2>&1
Please remember to set x to 0 once a working configuration has been created for your Linux system.

Dealing with command line rules

Run command over screen based session:
Your-iptable-rule-here && sleep 120 && /root/reset.fw
You can load the firewall rule and sleep or 120 seconds then disable/reset firewall using /root/reset.fw script.

See also
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 9 comments… read them below or add one }

1 Kevin Green July 6, 2008 at 12:49 pm

nice script, but you forgot the raw table
also, i think it would be a good idea to reset the counters and delete any existing empty chains
so

iptables -F
iptables -X
iptables -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t raw -F
iptables -t raw -X
iptables -t raw -Z

cheers

Reply

2 kuda April 17, 2009 at 9:25 am

….
### no need to edit below ###
IPT=/sbin/iptables
IPT6=/sbin/ip6tables

if [ $x = 1 ];
then
…..

otherwise bash will complain – unexpected character ….

have a nice day!

Reply

3 name October 31, 2009 at 1:43 pm

That’s what iptables-apply is for.

Reply

4 Eric January 19, 2010 at 4:57 am

I would just use the “save” command to make a copy of the iptable script. Then “restore” it via a cron command to the original script. This way you don’t create an undefended system when you restore.

Reply

5 Mihai RATZ April 20, 2010 at 12:46 pm

Alternative to cron is port knocking.

Reply

6 PeGa! May 17, 2010 at 5:18 pm

My approach to this kind of situations (after having been through a few ones) is to add a –failsafe parameter to my firewall scripts, which would run the (new) effective firewall rules with a ‘sleep 20′ after applying this new rules thus after 20 seconds, if I didn’t break the countdown, the new firewall rules are wiped out.

Reply

7 parbat June 8, 2010 at 4:24 am

wow great.. script..

thanks..

Reply

8 Dan Gauthier September 25, 2011 at 6:13 pm

Instead of messing with cron, there is an EASY way to rerun recurring events — “watch”.

watch is intended for things like ‘watch ls -l’, but it also works great for things like:

‘watch -n 30 killall -USR1 dd’
or
‘watch -n300 /etc/rc.d/rc.firewall.orig’ :)

Reply

9 Dan Gauthier September 25, 2011 at 6:17 pm

Additional: If you’re worried about knocking off your watch window, try SCREEN.

It avoids all those nasty: ‘>/dev/null 2>&1 </dev/null &' stuff and gives you multiple screens at the same time that can't be knocked off. There's a simple reconnect command: 'screen -r'.

Reply

Leave a Comment

Tagged as: , , , , , , ,

Previous Faq:

Next Faq: