What is attached to when an error is made in IPTABLES?

G

gremlintv22018-10-09 16:39:59

bash

gremlintv2, 2018-10-09 16:39:59

Everyone sooner or later faces the human factor (in other words, "when the hands grow from the wrong place")
If an error is made in the config, it can be easily fixed by correcting the config again. But in the case of iptables, everything
is not so simple, because when copying the config, you can easily lose access (an elementary mistake in the name of the interface or server ip, etc., etc. ) when connection with the server is lost. The logic is this: A bash script with iptables rules is launched 1) the previous config is backed up immediately after startup: 2) a new chain of rules is applied and a trigger is executed 3) the trigger is checked.
iptables-save>iptables-rules-old
Trigger options so far I see the following:

a)

create file and
if not deleted within 1 minute:
iptables-restore<iptables-rules-old
if deleted:
iptables-save>iptables-rules-old

b)

check if there is a connection to the server on the ssh port (but this is not reliable)

in)

leave your favorite loophole on the ssh port through an additional script and after 5 minutes delete it.
What other options are there?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

K

Karpion, 2018-10-15
@gremlintv2

Let's say we have a known good worker_config and an experimental_config of questionable performance. Then we do something like this:
( sleep 5 minutes ; apply working_config ) & # in asynchronous mode (via ampersend) run a resident program (shell fork), which will sleep for 5 minutes and apply the working config
apply experimental_config
You have five minutes to test.
But you need to make sure that when the terminal falls off, the resident does not die from the sighap. So it would be necessary to use the nohup program.
Esteem docks on ipfw - there this subject is sorted. Actually, I built my answer on what I remembered from there.