As I'm learning about iptables I've made a couple of mistakes and locked myself out.
What method(s) do you use to test rules without locking yourself out?
I'm using ubuntu server 12.04 LTS
All the answers below were helpful. In the end I used a combination of options. It also helps to have IPMI access to your remote server just in case! But ideally test the rules locally on a replicated environment and test that first. Vagrant helps in this regard to get test setups working quickly.
iptables-apply
is specifically designed for this. It applies your rules, and then prompts you to affirm. If you don't affirm, it rolls them back out. So if you brick the system or lock yourself out with apply, it rolls back.Think about the effect of what you're typing before you type it.
Before you start changing things remotely that might lock you out, insert an accept rule matching your connection at the start of the list. Back that up with a watchdog script that will reset all the rules to what was working when you started if you don't reset the timer. You can do that with a file monitoring loop and running the
touch
command to reset the timestamp while you're working on things. Just remember to turn it off when you finalize the rules. The very simple format of that is:You can setup iptables without a default DROP rule on your input-chain. If you create a rule and then put in this command:
Then you see packet counts and see if you have hits from your host.
Also another option is, is to make a crontab that runs a script. Within that script, you can write
With this command you can flush your
IPTABLES-config
.