On Mon, Jan 24, 2011 at 11:06 AM, kashani <kashani-l...@badapple.net> wrote: > On 1/24/2011 10:59 AM, Mark Knecht wrote: >> >> On Mon, Jan 24, 2011 at 10:47 AM, Jarry<mr.ja...@gmail.com> wrote: >>> >>> Hi, >>> >>> I have to change rather complex iptables rules on server >>> and I do not want to lock me out as this server is about >>> 50 miles away. So how should I do it? >>> >>> I can back up the old rules by running: >>> /etc/init.d/iptables save >>> and it will be saved to /var/lib/iptables/rules-save >>> (some strange format starting with number like [536:119208]) >>> >>> I prepared a script with new (modified) iptables-rules, >>> which I will run in bash. But in case I screw something, >>> how could I force netfilter to load old saved rules, >>> if I for whatever reason do not connect to server (ssh)? >>> >>> Or can I load new iptables-rules for certain time, and >>> then force netfilter to load back the old rules again? >>> >>> Jarry >>> >> >> Maybe a cron job that no matter what reloads the old rules 1 hour later? >> >> - Mark >> > > Yep, that's the way I do it. I'd test that the cron works correctly > beforehand. Nothing worse than locking yourself out *and* realizing your > cron has a path issue. > > kashani
Maybe first add a rule that won't lock yourself out. Install the new file, make sure the rule is there, then wait an hour. Make sure the rule is gone. Make sure the cron logs show the work was done. Go through a could of reboots and make sure the old rules (or new rules) come up. Once all that works going to the new, scary file should be lass scary. - Mark
