Using at to safely try out iptables configuration changesEdit
Making changes to iptables rules can be dangerous. If you make a mistake you could lock yourself out of your machine. A nice safety valve can be to use the at command-line tool to save your hide in the event of a mistake.
The basic idea is to do the following:
- Use
atto schedule a reboot for a few minutes into the future - Manipulate the firewall
- If everything works, cancel the reboot; otherwise, wait for the reboot to take place and reset the firewall to its former state
For this to work you need to make sure your firewall rules don’t get automatically saved to disk on shutdown; in other words, your /etc/sysconfig/iptables-config should include something like:
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"
Demo
Here’s a demo of the concepts introduced above. Instead of rebooting we’re just going to schedule ls to run.
Find out what the local time on the server is:
# date
Tue Apr 28 14:08:58 EDT 2009
Check what’s in the at queue:
# atq
Nothing was in the queue, so schedule a job:
# at 14:10
at> ls
at> <EOT>
job 47 at 2009-04-28 14:10
To escape the at "shell" use Control-D.
Now check the queue again; the job should be there:
# atq
47 2009-04-28 14:10 a root
Do something else (like configuring your firewall) and cancel the job:
# atrm 47
Confirm that the queue is empty:
# atq