[CentOS-docs] Re: IPTables HowTo (Comment)
ned at unixmail.co.uk
Mon Aug 25 12:44:46 UTC 2008
Manuel Wolfshant wrote:
> Ned Slider wrote:
>> I guess the best solution would be to develop and test your script
>> locally before uploading and deploying on a remote server.
>> Alternatively, if you must test remotely, setting up a cronjob to
>> deactivate the firewall after 5 mins is a popular approach to prevent
>> locking yourself out of your machine (if anyone on the list has any
>> thoughts about this, it would be appreciated??)
> Oh, yes, please add a note about "at now + 5 minutes pretty please
> disable firewall". It's simple, effective, useful. Safety nets are needed.
Something like this maybe:
echo 'service iptables stop' | at now + 5 minutes
One issue with this approach being that the at package isn't always
installed by default so may not be present on all systems.
> Ned: I suggest to insert a line after the "-P DROP" to warn people that
> this command will cut access from remote sites unless a previous ACCEPT
> rule already exists. . So either upload and test a full script, or work
> locally.... or take care :)
I'm tempted to just suggest adding an explicit rule at the beginning to
allow ssh access. Something like this:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
should be foolproof for most situations.
More information about the CentOS-docs