[donotprint][/donotprint]You can easily flush out current configuration using iptables command and shell script combo. There is no built in option for this kind of settings. So you need to write a small shell script and call it from crontab file.
Create a firewall reset shell script
Create a /root/reset.fw script:
#!/bin/bash # reset.fw - Reset firewall # set x to 0 - No reset # set x to 1 - Reset firewall # --------------------------------------------------------------------------------------------------------------- # Added support for IPV6 Firewall # --------------------------------------------------------------------------------------------------------------- # Written by Vivek Gite <vivek@nixcraft.com> # --------------------------------------------------------------------------------------------------------------- # You can copy / paste / redistribute this script under GPL version 2.0 or above # ============================================================= x=1 # set to true if it is CentOS / RHEL / Fedora box RHEL=false # set true if it is CentOS/RHEL v7.x or above RHEL7=false ### no need to edit below ### IPT=/sbin/iptables IPT6=/sbin/ip6tables if [ "$x" == "1" ]; then if [ "$RHEL" == "true" ]; then # reset firewall using redhat script if [ "$RHEL7" == "true" ]; then systemctl stop iptables systemctl stop ip6tables else ## old rhel <= v6.x ## /etc/init.d/iptables stop /etc/init.d/ip6tables stop fi else # for all other Linux distro use following rules to reset firewall ### reset ipv4 iptales ### $IPT -F $IPT -X $IPT -Z for table in $(</proc/net/ip_tables_names) do $IPT -t $table -F $IPT -t $table -X $IPT -t $table -Z done $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT ### reset ipv6 iptales ### $IPT6 -F $IPT6 -X $IPT6 -Z for table in $(</proc/net/ip6_tables_names) do $IPT6 -t $table -F $IPT6 -t $table -X $IPT6 -t $table -Z done $IPT6 -P INPUT ACCEPT $IPT6 -P OUTPUT ACCEPT $IPT6 -P FORWARD ACCEPT fi else : fi |
Set permissions:
# chmod +x /root/reset.fw
Create cronjon to reset current configuration every 5 minutes, enter
# crontab -e
OR
# vi /etc/crontab
Append following settings:
*/5 * * * * root /root/reset.fw >/dev/null 2>&1
Please remember to set x to 0 once a working configuration has been created for your Linux system.
Dealing with command line rules
Run command over screen based session:
Your-iptable-rule-here && sleep 120 && /root/reset.fw
You can load the firewall rule and sleep for 120 seconds then disable/reset firewall using /root/reset.fw script.
A note about security
Also, rather than leaving your server vulnerable, it might be good to have it restore a known good version of the tables, or one locked down to nothing but ssh:
iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT |
For example one can update above script as follows:
... else # for all other Linux distro use following rules to reset firewall ### reset ipv4 iptales ### $IPT -F $IPT -X $IPT -Z for table in $(</proc/net/ip_tables_names) do $IPT -t $table -F $IPT -t $table -X $IPT -t $table -Z done $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT #Uncommet to drop everything but only allow ssh over ipv4 ## #$IPT -P INPUT DROP #$IPT -P OUTPUT DROP #$IPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #$IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT ### reset ipv6 iptales ### $IPT6 -F $IPT6 -X $IPT6 -Z for table in $(</proc/net/ip6_tables_names) do $IPT6 -t $table -F $IPT6 -t $table -X $IPT6 -t $table -Z done $IPT6 -P INPUT ACCEPT $IPT6 -P OUTPUT ACCEPT $IPT6 -P FORWARD ACCEPT fi ... |
See also
- Reset PF Firewall Automatically While Testing Configuration With Remote Server Over SSH Session
- Man pages – iptables-restore(8)
10 comment
nice script, but you forgot the raw table
also, i think it would be a good idea to reset the counters and delete any existing empty chains
so
iptables -F
iptables -X
iptables -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t raw -F
iptables -t raw -X
iptables -t raw -Z
cheers
….
### no need to edit below ###
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
if [ $x = 1 ];
then
…..
otherwise bash will complain – unexpected character ….
have a nice day!
That’s what iptables-apply is for.
I would just use the “save” command to make a copy of the iptable script. Then “restore” it via a cron command to the original script. This way you don’t create an undefended system when you restore.
Alternative to cron is port knocking.
My approach to this kind of situations (after having been through a few ones) is to add a –failsafe parameter to my firewall scripts, which would run the (new) effective firewall rules with a ‘sleep 20’ after applying this new rules thus after 20 seconds, if I didn’t break the countdown, the new firewall rules are wiped out.
wow great.. script..
thanks..
Instead of messing with cron, there is an EASY way to rerun recurring events — “watch”.
watch is intended for things like ‘watch ls -l’, but it also works great for things like:
‘watch -n 30 killall -USR1 dd’
or
‘watch -n300 /etc/rc.d/rc.firewall.orig’ :)
Additional: If you’re worried about knocking off your watch window, try SCREEN.
It avoids all those nasty: ‘>/dev/null 2>&1 </dev/null &' stuff and gives you multiple screens at the same time that can't be knocked off. There's a simple reconnect command: 'screen -r'.
I had another attempt a long time ago, using bash trap and a sleep. The script took a backup of the currently running config, did a iptables-restore on the new config. If I then didn’t hit CTRL-C within 1 minute, it would reload the backup iptables rules and my connection would be restored.