Deploying a Safetynet:

This next step is of critical importance. Whenever you start toying around with the firewall settings of any server, you will want to deploy a means for you to regain access to the server should you accidentally lock yourself out. This may sound silly at first, but it can be very easy to lock yourself out of your server when making firewall adjustments, no matter how skilled you are. It only takes a tiny syntax error or a missed flag somewhere in the firewall script to lock your server down to a point where you cannot access it. While locking yourself out of a server that you have physical access to is not that big of a deal, it can be a nightmare if you lock yourself out of a server that you don't have physical access to. This is certainly the case if your server is being hosted somewhere. If you don't believe me, try skipping this step and you may end up learning your lesson the hard way.

Fortunately, safeguarding against an accidental server lock down is not difficult. The procedure only takes a couple of minutes and can be a lifesaver. So here's how you do it:

Our safety net is simply going to be a firewall reset script that runs of our server's crontab. We will set the script to run at regular intervals. In the way, should you lock yourself out of your server, all you'll have to do is sit back and wait for the script to execute and for the firewall to reset.

So let's create the reset script...

vi /root/firewall_reset

# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT

*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT

*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT

Save and exit the file

Now let's test the reset script. The following command will utilize the "iptables-import" tool, which is used to import an iptables config script directly into the iptables ruleset. When we import the above iptables configuration into the ruleset, it will completely reset your firewall and put your server is a totally "open" state where all packets are allowed to freely move in and out of your server. If you've locked yourself out of your server, this will drop any mistakes and let you back in.

iptables-restore < /root/firewall_reset

If you don't get an error, the script worked. The last thing you will want to do is to actually look at the iptables status just to make sure that your server is completely open as it should be. The following command will display your current iptables status:

iptables -L

An open firewall should look similar to this:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

As you can see, the INPUT, OUTPUT and FORWARD chains of your firewall are now set to a default "ACCEPT" state. This means that your server will accept any packets, be they OUTBOUDN, INBOUND or FORWARDED. In other words, you have no firewall at this point. So now that we know the script works, let's put it into the server's crontab. We'll create a crontab entry that resets the firewall every 15 minutes.

crontab -e

0,15,30,45 * * * * /sbin/iptables-restore < /root/firewall_reset

That's it. Now save and exit out of the crontab editor.

That's it. Until the crontab is disabled, your server's iptables ruleset will reset every 15 minutes. This means that if you lock yourself out later on in this setup guide, you'll only have to wait a maximum of 15 minutes before the firewall resets and the erroneous rules are dropped.

Note: Obviously, once you finally get your firewall safely configured you will want to disable this crontab entry. ;)

So now let's get down to business and deploy the firewall script!

Proceed to the next step