[CentOS-docs] Re: IPTables HowTo (Comment)

Mon Aug 25 12:44:46 UTC 2008
Ned Slider <ned at unixmail.co.uk>

Manuel Wolfshant wrote:
> Ned Slider wrote:
>> I guess the best solution would be to develop and test your script 
>> locally before uploading and deploying on a remote server. 
>> Alternatively, if you must test remotely, setting up a cronjob to 
>> deactivate the firewall after 5 mins is a popular approach to prevent 
>> locking yourself out of your machine (if anyone on the list has any 
>> thoughts about this, it would be appreciated??)
> Oh, yes, please add a note about "at now + 5 minutes pretty please 
> disable firewall". It's simple, effective, useful. Safety nets are needed.

Something like this maybe:

echo 'service iptables stop' | at now + 5 minutes

One issue with this approach being that the at package isn't always 
installed by default so may not be present on all systems.

> Ned: I suggest to insert a line after the "-P DROP" to warn people that 
> this command will cut access from remote sites unless a previous ACCEPT 
> rule already exists. . So either upload and test a full script, or work 
> locally.... or take care :)

I'm tempted to just suggest adding an explicit rule at the beginning to 
allow ssh access. Something like this:

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

should be foolproof for most situations.