On Monday 24 January 2011 19:59:16 Mark Knecht wrote: > On Mon, Jan 24, 2011 at 10:47 AM, Jarry <mr.ja...@gmail.com> wrote: > > Hi, > > > > I have to change rather complex iptables rules on server > > and I do not want to lock me out as this server is about > > 50 miles away. So how should I do it? > > > > I can back up the old rules by running: > > /etc/init.d/iptables save > > and it will be saved to /var/lib/iptables/rules-save > > (some strange format starting with number like [536:119208]) > > > > I prepared a script with new (modified) iptables-rules, > > which I will run in bash. But in case I screw something, > > how could I force netfilter to load old saved rules, > > if I for whatever reason do not connect to server (ssh)? > > > > Or can I load new iptables-rules for certain time, and > > then force netfilter to load back the old rules again? > > > > Jarry > > Maybe a cron job that no matter what reloads the old rules 1 hour later? > > - Mark
another option woud be to setup and run a knock deamon (net-misc/knock), if that's an option for you. You'd have the advantage not being forced to wait for an hour (worst case). On the other hand you must make sure, that none of the configured knocking ports are blocked in the infrastructure between you and the server. -- Cheers, Manuel Klemenz
signature.asc
Description: This is a digitally signed message part.
