Making changes to your server's firewall/routing configuration can be very tricky. One simple mistake can result in your being completely locked out of your server. If the server you are working on is remotely hosted, this can cause prolonged downtime and a tech support nightmare. In short, it can be a major pain in the ass.

For this reason, anytime you are making changes to your server's firewall or routing config via iptables, you should first take a few minutes to implement some "disaster recovery" measures that can be automatically triggered should you accidentally lock yourself out of your server.

Whenver I'm making any major changes to my firewall, I like to implement a "disaster recovery" measure by means of a crontab entry. I do this by creating a simple crontab entry that runs every 15 minutes or so. This crontab entry runs a command which simply resets my server's iptables configuration to a completely open setting. That is, it sets my iptables configuration so that the server will accept all incoming, outgoing and forward requests. In this way, should I screw up at some point and lock myself out of my server, I will only need to wait a maximum of 10 minutes before the bad firewall rules will be dropped and I'll be able to shell into my server again. If you are a newbie at iptables, or even a seasoned pro, this little safety measure can be a lifesaver. Everyone makes mistakes every now and then, and this measure will ensure that a mistake made in your firewall configuration doesn't turn into a nightmare!

So here's how you do it....

Log into your server as the root user.

First, create a iptables import script that, when imported, will reset the iptables configuration to a default "accept all" state:

vi /root/iptables.open

*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT
*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT
*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT

Now save and exit.

Now let's set up a crontab entry that will import the reset configuration every 15 minutes...

crontab -e

*/15 * * * * /sbin/iptables-restore < /root/iptables.open

Save and exit from the crontab editor

Ok. All done.

Now let's review what this is going to do to your server...

Once you enable the crontab, your server is going to reset it's iptables configuration every 15 minutes. This means that every 15 minutes you will lose any previous settings and you server will be in a "accept all" state where it accepts any incoming, outgoing and forward packet requests. You certainly do not want to leave this crontab running if you are not actively working on your iptables configuration. The sole of this crontab is to provide a safety net should you accidentally screw up and lock yourself out of your server while you are implementing or testing new iptables configurations. With this crontab running, should you lock yourself out you will only have to wait a maximum of 15 minutes before the iptables configuration resets and you are able to log into your server again.

You should always disable this crontab entry once you are finished modifying your iptables configuration.