Iplementing a firewall after-the-fact

[Jonathan Crowe]

Here is what I do when I have to change iptable rules on a remote 
server.  We are running RedHat.

If there is a local user that I can talk through logging in to the console:

1)    ssh into the machine.
2)   create an /etc/sysconfig/iptables that is completely open , nothing 
blocked at all.
3)   create a copy called /etc/sysconfig/iptables.emergency.restore
4)   create a bash script and sudo user that can copy 
iptables.emergency.restore back over iptables.  ( script should also 
restart iptables)
5)   test to make sure that that user can in fact run the script and it 
does overwrite iptables and restart the daemon.
6)   make changes to /etc/sysconfig/iptables as required to tighten 
things up.  (don't forget to allow ssh from your ip!!!)
7)   test  to make sure you are not locked out and that the users can 
still get everything they need.
8)   tweak as needed.
9)   copy /etc/sysconfig/iptables to /etc/sysconfig/iptables.last.working
10)   create a script and sudo user that can copy iptables.last working 
over top of iptables.
11)   every time you tweak the iptable rules, test for a day then copy 
iptables to iptables.last.working



You now have 3 choices when you lock yourself out.
1)  Talk a local user through logging onto the console and restoring to 
iptables.emergency.restore
2)  Talk a local user through logging onto the console and restoring to 
iptables.last working
3)  Talk a local user through logging onto the console and  shutting 
iptables off manually.


If there is no local user that I can talk through logging into the 
console I do the above except that I put the iptables.last.working 
script onto the end of /etc/rc.local   .

This way a reboot gets me back to a known good state.   If you are 
really stuck you can at least have someone kick the cord out for you.






-- 
Jonathan Crowe
System Administrator
for Sage Systems, Inc.
425-451-2484  x 3025