Iplementing a firewall after-the-fact
Jonathan Crowe
jcrowe at sagesys.net
Thu Dec 2 19:50:29 UTC 2004
Here is what I do when I have to change iptable rules on a remote
server. We are running RedHat.
If there is a local user that I can talk through logging in to the console:
1) ssh into the machine.
2) create an /etc/sysconfig/iptables that is completely open , nothing
blocked at all.
3) create a copy called /etc/sysconfig/iptables.emergency.restore
4) create a bash script and sudo user that can copy
iptables.emergency.restore back over iptables. ( script should also
restart iptables)
5) test to make sure that that user can in fact run the script and it
does overwrite iptables and restart the daemon.
6) make changes to /etc/sysconfig/iptables as required to tighten
things up. (don't forget to allow ssh from your ip!!!)
7) test to make sure you are not locked out and that the users can
still get everything they need.
8) tweak as needed.
9) copy /etc/sysconfig/iptables to /etc/sysconfig/iptables.last.working
10) create a script and sudo user that can copy iptables.last working
over top of iptables.
11) every time you tweak the iptable rules, test for a day then copy
iptables to iptables.last.working
You now have 3 choices when you lock yourself out.
1) Talk a local user through logging onto the console and restoring to
iptables.emergency.restore
2) Talk a local user through logging onto the console and restoring to
iptables.last working
3) Talk a local user through logging onto the console and shutting
iptables off manually.
If there is no local user that I can talk through logging into the
console I do the above except that I put the iptables.last.working
script onto the end of /etc/rc.local .
This way a reboot gets me back to a known good state. If you are
really stuck you can at least have someone kick the cord out for you.
--
Jonathan Crowe
System Administrator
for Sage Systems, Inc.
425-451-2484 x 3025
More information about the fedora-legacy-list
mailing list