January 6, 2014

Precaution When Working With Remote Firewall (iptables)

Configure a remote machine's firewall, can be hazardous. So here is one way of making it a little more safer.

First backup current firewall rules.

$ iptables-save > /tmp/iptables.bak

Secondly create a script with all you firewall rules, which are well tested. Below follows an example for a stateful firewall.

#!/bin/bash          

# Delete all existing rules
iptables -F

# Accept all incoming traffic to loopback interface
iptables -A INPUT -i lo -j ACCEPT

# Accept all already establed/ongoing conversation
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Accept PING
iptables -A INPUT -p icmp -j ACCEPT

# Accept SSH in port 22, but only from LAN (192.168.122.*)
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 192.168.122.0/24 -j ACCEPT

# Reject all other incoming traffic
iptables -A INPUT -j REJECT

# And the same thing goes for FORWARD
iptables -A FORWARD -j REJECT

# Make changes permenant
service iptables save

Now with help of the cron job like command at, we can schedule a resturation of the original firewall settings in for example 20 min. Or how long you think it will take to test and verify your new firewall configuration.

# at now + 20 min
at> iptables-restore /tmp/iptables.bak
at> <EOT>
job 4 at 2014-01-06 01:27

You exit the at editor with Ctrl+D. Now you can list you at command with:

# at -l
4 2014-01-06 01:27 a root

And if your firewall configuration all checks out good, you can delete the at job with:

# atrm 4

And if it dont, you just have to wait 20 min, before the old configuration is restored

No comments: