I have a remote system that I SSH. Since I am planning to make this system more publicly accessible, I want to improve my iptables rules over the current policy of accepting anything.
I have added a "iptables -A INPUT -p tcp --dport 22 -j ACCEPT" rule, however I don't really want to change the default rule in a manner that I may lock myself out of the system (and one which would cost me a day and a train fare to resolve right now).
Is there some way I can make changes to iptables (like changing the default rule to DROP) with say a 5 minute timeout, so if I do get a change wrong and lock everyone out, I can just wait a while and try again?
34 Answers
Most linux distributions come with the iptables-apply script either already installed or available through the package manager. It will allow you to apply a new set of iptables rules, and rollback automatically if you do not confirm that they work within a certain time.
1You should have, among other iptables rules, one that states:
sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDIf you don't, you can set it up as follows:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTor, if this does not work,
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTThis way, the session from which you are modifying the iptables will certainly not be affected.
Now you can start modifying iptables as you like and, when you wish to try a new rule, just start from your client pc a distinct ssh session. The ESTABLISHED,RELATED rule does not apply to this new session, so you can see live whether your new sets of rules has cut you off, without any risk.
1If you use ipset it can all be automated
ipset create test hash:ip timeout 300 iptables -A INPUT -p tcp -m tcp -m multiport -m state --state NEW -j SET --add-set test src ! --dports 25,80,993,5900 iptables -A input_ext -m set -j DROP --match-set test srcChange the ports option to whatever you want.
Need to save the list between reboots?
ipset save >backup.txtNeed tor restore?
ipset restore <backup.txtDo you want packet bytes counters?
add the keyword counters to the end of the ipset create statement.
Just instal fail2ban and enable ssh and ssd-dos . You can set banned time easily. The other way, install other remote access e.g. Webmin, and run it on non standard port.
add these lines into filter sshd.conf and add these lines at the end of failregex section
vi /etc/fail2ban/filter.d/sshd.conf
.... ^%(__prefix_line)sConnection closed by [preauth]$ ^%(__prefix_line)sReceived disconnect from : 11: (Bye Bye)? [preauth]$ ^%(__prefix_line)sReceived disconnect from : 3: \S+: Auth fail$ ^%(__prefix_line)s(?:error: )?Received disconnect from : 3: .*: Auth fail(?: [preauth])?$