How To Reset Linux Firewall Automatically While Testing Configuration With Remote Server Over SSH Session

last updated in Categories , , , , , , , , ,

I would like to tell my Linux iptables firewall to flush out the current configuration every 5 minutes. This will help when I’m testing a new rules and configuration options. Some time I find myself locked out of my own remote server. How do I reset Linux firewall automatically without issuing hard reboot?

[donotprint][/donotprint]You can easily flush out current configuration using iptables command and shell script combo. There is no built in option for this kind of settings. So you need to write a small shell script and call it from crontab file.

Create a firewall reset shell script

Create a /root/reset.fw script:

#!/bin/bash
# reset.fw - Reset firewall
# set x to 0 - No reset
# set x to 1 - Reset firewall
# ---------------------------------------------------------------------------------------------------------------
# Added support for IPV6 Firewall
# ---------------------------------------------------------------------------------------------------------------
# Written by Vivek Gite <vivek@nixcraft.com>
# ---------------------------------------------------------------------------------------------------------------
# You can copy / paste / redistribute this script under GPL version 2.0 or above
# =============================================================
x=1
 
# set to true if it is CentOS / RHEL / Fedora box
RHEL=false
 
# set true if it is CentOS/RHEL v7.x or above
RHEL7=false 
 
### no need to edit below  ###
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
 
if [ "$x" == "1" ];
then
	if [ "$RHEL" == "true" ];
	then
	      # reset firewall using redhat script
               if [ "$RHEL7" == "true" ];
               then
                 systemctl stop iptables 
                 systemctl stop ip6tables 
               else  ## old rhel <= v6.x ##
		         /etc/init.d/iptables stop
		         /etc/init.d/ip6tables stop
               fi
	else
		# for all other Linux distro use following rules to reset firewall
		### reset ipv4 iptales ###
		$IPT -F
		$IPT -X
		$IPT -Z
		for table in $(</proc/net/ip_tables_names)
		do 
			$IPT -t $table -F
			$IPT -t $table -X
			$IPT -t $table -Z 
		done
		$IPT -P INPUT ACCEPT
		$IPT -P OUTPUT ACCEPT
		$IPT -P FORWARD ACCEPT
		### reset ipv6 iptales ###
		$IPT6 -F
		$IPT6 -X
		$IPT6 -Z
		for table in $(</proc/net/ip6_tables_names)
		do 
			$IPT6 -t $table -F
			$IPT6 -t $table -X
			$IPT6 -t $table -Z 
		done
		$IPT6 -P INPUT ACCEPT
		$IPT6 -P OUTPUT ACCEPT
		$IPT6 -P FORWARD ACCEPT
	fi
else
        :
fi

Set permissions:
# chmod +x /root/reset.fw
Create cronjon to reset current configuration every 5 minutes, enter
# crontab -e
OR
# vi /etc/crontab
Append following settings:
*/5 * * * * root /root/reset.fw >/dev/null 2>&1
Please remember to set x to 0 once a working configuration has been created for your Linux system.

Dealing with command line rules

Run command over screen based session:
Your-iptable-rule-here && sleep 120 && /root/reset.fw
You can load the firewall rule and sleep for 120 seconds then disable/reset firewall using /root/reset.fw script.

A note about security

Also, rather than leaving your server vulnerable, it might be good to have it restore a known good version of the tables, or one locked down to nothing but ssh:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

For example one can update above script as follows:

...
	else
		# for all other Linux distro use following rules to reset firewall
		### reset ipv4 iptales ###
		$IPT -F
		$IPT -X
		$IPT -Z
		for table in $(</proc/net/ip_tables_names)
		do 
			$IPT -t $table -F
			$IPT -t $table -X
			$IPT -t $table -Z 
		done
		$IPT -P INPUT ACCEPT
		$IPT -P OUTPUT ACCEPT
		$IPT -P FORWARD ACCEPT
		#Uncommet to drop everything but only allow ssh over ipv4 ##
		#$IPT -P INPUT DROP
		#$IPT -P OUTPUT DROP
		#$IPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
		#$IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
		### reset ipv6 iptales ###
		$IPT6 -F
		$IPT6 -X
		$IPT6 -Z
		for table in $(</proc/net/ip6_tables_names)
		do 
			$IPT6 -t $table -F
			$IPT6 -t $table -X
			$IPT6 -t $table -Z 
		done
		$IPT6 -P INPUT ACCEPT
		$IPT6 -P OUTPUT ACCEPT
		$IPT6 -P FORWARD ACCEPT
	fi
...
See also

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

10 comment

  1. nice script, but you forgot the raw table
    also, i think it would be a good idea to reset the counters and delete any existing empty chains
    so

    iptables -F
    iptables -X
    iptables -Z
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t mangle -Z
    iptables -t nat -F
    iptables -t nat -X
    iptables -t nat -Z
    iptables -t raw -F
    iptables -t raw -X
    iptables -t raw -Z

    cheers

  2. ….
    ### no need to edit below ###
    IPT=/sbin/iptables
    IPT6=/sbin/ip6tables

    if [ $x = 1 ];
    then
    …..

    otherwise bash will complain – unexpected character ….

    have a nice day!

  3. I would just use the “save” command to make a copy of the iptable script. Then “restore” it via a cron command to the original script. This way you don’t create an undefended system when you restore.

  4. My approach to this kind of situations (after having been through a few ones) is to add a –failsafe parameter to my firewall scripts, which would run the (new) effective firewall rules with a ‘sleep 20’ after applying this new rules thus after 20 seconds, if I didn’t break the countdown, the new firewall rules are wiped out.

  5. Instead of messing with cron, there is an EASY way to rerun recurring events — “watch”.

    watch is intended for things like ‘watch ls -l’, but it also works great for things like:

    ‘watch -n 30 killall -USR1 dd’
    or
    ‘watch -n300 /etc/rc.d/rc.firewall.orig’ :)

  6. Additional: If you’re worried about knocking off your watch window, try SCREEN.

    It avoids all those nasty: ‘>/dev/null 2>&1 </dev/null &' stuff and gives you multiple screens at the same time that can't be knocked off. There's a simple reconnect command: 'screen -r'.

  7. I had another attempt a long time ago, using bash trap and a sleep. The script took a backup of the currently running config, did a iptables-restore on the new config. If I then didn’t hit CTRL-C within 1 minute, it would reload the backup iptables rules and my connection would be restored.

    Still, have a question? Get help on our forum!