Temporary iptables changes

I have a remote system that I SSH. Since I am planning to make this system more publicly accessible, I want to improve my iptables rules over the current policy of accepting anything.

I have added a "iptables -A INPUT -p tcp --dport 22 -j ACCEPT" rule, however I don't really want to change the default rule in a manner that I may lock myself out of the system (and one which would cost me a day and a train fare to resolve right now).

Is there some way I can make changes to iptables (like changing the default rule to DROP) with say a 5 minute timeout, so if I do get a change wrong and lock everyone out, I can just wait a while and try again?

3

4 Answers

Most linux distributions come with the iptables-apply script either already installed or available through the package manager. It will allow you to apply a new set of iptables rules, and rollback automatically if you do not confirm that they work within a certain time.

1

You should have, among other iptables rules, one that states:

 sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

If you don't, you can set it up as follows:

 sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

or, if this does not work,

 sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This way, the session from which you are modifying the iptables will certainly not be affected.

Now you can start modifying iptables as you like and, when you wish to try a new rule, just start from your client pc a distinct ssh session. The ESTABLISHED,RELATED rule does not apply to this new session, so you can see live whether your new sets of rules has cut you off, without any risk.

1

If you use ipset it can all be automated

 ipset create test hash:ip timeout 300 iptables -A INPUT -p tcp -m tcp -m multiport -m state --state NEW -j SET --add-set test src ! --dports 25,80,993,5900 iptables -A input_ext -m set -j DROP --match-set test src

Change the ports option to whatever you want.

Need to save the list between reboots?

 ipset save >backup.txt

Need tor restore?

 ipset restore <backup.txt

Do you want packet bytes counters?

add the keyword counters to the end of the ipset create statement.

Just instal fail2ban and enable ssh and ssd-dos . You can set banned time easily. The other way, install other remote access e.g. Webmin, and run it on non standard port.

add these lines into filter sshd.conf and add these lines at the end of failregex section

vi /etc/fail2ban/filter.d/sshd.conf

.... ^%(__prefix_line)sConnection closed by [preauth]$ ^%(__prefix_line)sReceived disconnect from : 11: (Bye Bye)? [preauth]$ ^%(__prefix_line)sReceived disconnect from : 3: \S+: Auth fail$ ^%(__prefix_line)s(?:error: )?Received disconnect from : 3: .*: Auth fail(?: [preauth])?$

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like