Configure a remote machine's firewall, can be hazardous. So here is one way of making it a little more safer.
First backup current firewall rules.
$ iptables-save > /tmp/iptables.bak
Secondly create a script with all you firewall rules, which are well tested. Below follows an example for a stateful firewall.
#!/bin/bash
# Delete all existing rules
iptables -F
# Accept all incoming traffic to loopback interface
iptables -A INPUT -i lo -j ACCEPT
# Accept all already establed/ongoing conversation
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Accept PING
iptables -A INPUT -p icmp -j ACCEPT
# Accept SSH in port 22, but only from LAN (192.168.122.*)
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 192.168.122.0/24 -j ACCEPT
# Reject all other incoming traffic
iptables -A INPUT -j REJECT
# And the same thing goes for FORWARD
iptables -A FORWARD -j REJECT
# Make changes permenant
service iptables save
Now with help of the cron job like command at, we can schedule a resturation of the original firewall settings in for example 20 min. Or how long you think it will take to test and verify your new firewall configuration.
# at now + 20 min
at> iptables-restore /tmp/iptables.bak
at> <EOT>
job 4 at 2014-01-06 01:27
You exit the at editor with Ctrl+D. Now you can list you at command with:
# at -l
4 2014-01-06 01:27 a root
And if your firewall configuration all checks out good, you can delete the at job with:
# atrm 4
And if it dont, you just have to wait 20 min, before the old configuration is restored
No comments:
Post a Comment