iptables -f locks me out

Hey,

Is there anyway around this? It never used to happen with ipchains... Whenever I
run iptables -F, when I stop my shorewall script (or if there is an error in the
config file, and it stops itself.) it completely locks me out of remote access and I
have to call up my admin and have him drive 15 miles to the site and reboot the
machine.

It's really annoying.

Eric

On Sat, 18 Oct 2003 15:10:21 -0400,
Eric Gibson <(E-Mail Removed)> wrote:
>
> Is there anyway around this? It never used to happen with
> ipchains... Whenever I run iptables -F, when I stop my shorewall
> script (or if there is an error in the config file, and it stops
> itself.) it completely locks me out of remote access and I have
> to call up my admin and have him drive 15 miles to the site and
> reboot the machine.

You pay an admin to reboot the machine, I thought the object was to
avoid needing to reboot. The Admin is the one that should be playing
with the firewall anyway.

Well, I don't know firewalls that well, but at a guess, default rules
deny outside requests, so when you flush you aren't allowed in.

Either remove the rules manually, and leave the ones you need, or write
a script (to be run nohup) that flushes the rules and adds the ones
required for you to connect (remember it needs to be on your server.)

I don't know if you can modify the default rules to include what you
need to connect. You could probably change the default to accept all
connections, but then you'd need to completely rewrite your rules,
probably not recommended.

Or you could simply reboot the machine to flush the rules (yes, it's
lame, but it would work.)

Michael C.
--
(E-Mail Removed) http://mcsuper5.freeshell.org/
Registered Linux User #303915 http://counter.li.org/

Eric Gibson's <Gcgkb.7670$(E-Mail Removed)> on Saturday 18
October 2003 12:10 pm in %group contained all or some of:

> Hey,
>
> Is there anyway around this? It never used to happen with ipchains...
> Whenever I
> run iptables -F, when I stop my shorewall script (or if there is an error
> in the config file, and it stops itself.) it completely locks me out of
> remote access and I have to call up my admin and have him drive 15 miles
> to the site and reboot the machine.
>
> It's really annoying.
>
> Eric

If you were really altering the iptables rules, rebooting still would not
allow you access because the firewall would come back up in the
reconfigured state.

I had not heard the word "shorewall" before. A quick Google and scan of the
FAQ and this is what I found. Without reading it further I can only guess
that you might investigate the /etc/shorewall/routestopped properties.

From the ( http://www.shorewall.net/FAQ.htm#faq7 )shorewall FAQ:
7. When I stop Shorewall using 'shorewall stop', I can't connect to
anything. Why doesn't that command work?

The 'stop' command is intended to place your firewall into a safe state
whereby only those hosts listed in /etc/shorewall/routestopped' are
activated. If you want to totally open up your firewall, you must use the
'shorewall clear' command.

> Is there anyway around this? It never used to happen with
> ipchains... Whenever I
> run iptables -F, when I stop my shorewall script (or if there is an
> error in the config file, and it stops itself.) it completely locks me
> out of remote access and I have to call up my admin and have him drive
> 15 miles to the site and reboot the machine.

For remote servers I look after, the solution I've used is a cron script
that will re-enable a "known good" firewall after an interval.

So if I log in remotely and screw up the firewall, everything is reset
after a period. When I'm satisfied with the new changes, I update the
master script and the changes become the new known good default.

--
Jem Berkes
http://www.sysdesign.ca/

you can use some of the real good scripts .... here in
http://www.linuxguruz.com/iptables/

raqueeb hassan
bunia, DRC

On Sat, 18 Oct 2003 15:10:21 -0400, "Eric Gibson"
<(E-Mail Removed)> wrote:
> Is there anyway around this? It never used to happen with ipchains... Whenever I
>run iptables -F, when I stop my shorewall script (or if there is an error in the
>config file, and it stops itself.) it completely locks me out of remote access and I
>have to call up my admin and have him drive 15 miles to the site and reboot the
>machine.

Quick guess off the top of my head, you've got your default policy on
the INPUT and/or OUTPUT chain to 'DROP'. You have then defined rules
to allow only certain input, perhaps only on certain ports. Don't
worry, this is a good thing! However, as soon as you do an 'iptables
-F', you flush all of your rules and everything goes back to your
default policy, ie to drop all packets coming in and/or out.

The solution would be to change your default policy BEFORE your flush
your tables. ie:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

The suggestion that another poster made to add a cron script to
automatically reset your scripts to a known-good state is a very good
idea as well.