Q. I'd like to tell my Linux iptables firewall to flush out the current configuration every 5 minutes. This will help when I'm testing a new rules and configuration options. Some time I find myself locked out of my own remote server. How do I reset Linux firewall automatically without issuing hard reboot?
A. You can easily flush out current configuration using iptables command and shell script combo. There is no built in option for this kind of settings. So you need to write a small shell script and call it from crontab file.
Create a firewall reset shell script
Create a /root/reset.fw script:
#!/bin/bash # reset.fw - Reset firewall # set x to 0 - No reset # set x to 1 - Reset firewall # --------------------------------------------------------------------------------------------------------------- # Added support for IPV6 Firewall # --------------------------------------------------------------------------------------------------------------- # Written by Vivek Gite <vivek@nixcraft.com> # --------------------------------------------------------------------------------------------------------------- # You can copy / paste / redistribute this script under GPL version 2.0 or above # ============================================================= x=1 # set to true if it is CentOS / RHEL / Fedora box RHEL=false ### no need to edit below ### IPT=/sbin/iptables IPT6=/sbin/ip6tables if [ "$x" == "1" ]; then if [ "$RHEL" == "true" ]; then # reset firewall using redhat script /etc/init.d/iptables stop /etc/init.d/ip6tables stop else # for all other Linux distro use following rules to reset firewall ### reset ipv4 iptales ### $IPT -F $IPT -X $IPT -Z for table in $(</proc/net/ip_tables_names) do $IPT -t $table -F $IPT -t $table -X $IPT -t $table -Z done $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT ### reset ipv6 iptales ### $IPT6 -F $IPT6 -X $IPT6 -Z for table in $(</proc/net/ip6_tables_names) do $IPT6 -t $table -F $IPT6 -t $table -X $IPT6 -t $table -Z done $IPT6 -P INPUT ACCEPT $IPT6 -P OUTPUT ACCEPT $IPT6 -P FORWARD ACCEPT fi else : fi
Set permissions:
# chmod +x /root/reset.fw
Create cronjon to reset current configuration every 5 minutes, enter
# crontab -e
OR
# vi /etc/crontab
Append following settings:
*/5 * * * * root /root/reset.fw >/dev/null 2>&1
Please remember to set x to 0 once a working configuration has been created for your Linux system.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- My 10 UNIX Command Line Mistakes
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email FAQ to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: 01/6/09
{ 4 comments… read them below or add one }
nice script, but you forgot the raw table
also, i think it would be a good idea to reset the counters and delete any existing empty chains
so
iptables -F
iptables -X
iptables -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t raw -F
iptables -t raw -X
iptables -t raw -Z
cheers
….
### no need to edit below ###
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
if [ $x = 1 ];
then
…..
otherwise bash will complain – unexpected character ….
have a nice day!
That’s what iptables-apply is for.
I would just use the “save” command to make a copy of the iptable script. Then “restore” it via a cron command to the original script. This way you don’t create an undefended system when you restore.