img

How To Reset Linux Firewall Automatically While Testing Configuration With Remote Server Over SSH Session

September 8, 2019

I would like to tell my Linux iptables firewall to flush out the current configuration every 5 minutes. This will help when I’m testing a new rules and configuration options. Some time I find myself locked out of my own remote server. How do I reset Linux firewall automatically without issuing hard reboot?

[donotprint][/donotprint]You can easily flush out current configuration using iptables command and shell script combo. There is no built in option for this kind of settings. So you need to write a small shell script and call it from crontab file.

Create a firewall reset shell script

Create a /root/reset.fw script:

#!/bin/bash
# reset.fw - Reset firewall
# set x to 0 - No reset
# set x to 1 - Reset firewall
# ---------------------------------------------------------------------------------------------------------------
# Added support for IPV6 Firewall
# ---------------------------------------------------------------------------------------------------------------
# Written by SXI ADMIN <[email protected]>
# ---------------------------------------------------------------------------------------------------------------
# You can copy / paste / redistribute this script under GPL version 2.0 or above
# =============================================================
x=1
 
# set to true if it is CentOS / RHEL / Fedora box
RHEL=false
 
# set true if it is CentOS/RHEL v7.x or above
RHEL7=false 
 
### no need to edit below  ###
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
 
if [ "$x" == "1" ];
then
	if [ "$RHEL" == "true" ];
	then
	      # reset firewall using redhat script
               if [ "$RHEL7" == "true" ];
               then
                 systemctl stop iptables 
                 systemctl stop ip6tables 
               else  ## old rhel <= v6.x ##
		         /etc/init.d/iptables stop
		         /etc/init.d/ip6tables stop
               fi
	else
		# for all other Linux distro use following rules to reset firewall
		### reset ipv4 iptales ###
		$IPT -F
		$IPT -X
		$IPT -Z
		for table in $(</proc/net/ip_tables_names)
		do 
			$IPT -t $table -F
			$IPT -t $table -X
			$IPT -t $table -Z 
		done
		$IPT -P INPUT ACCEPT
		$IPT -P OUTPUT ACCEPT
		$IPT -P FORWARD ACCEPT
		### reset ipv6 iptales ###
		$IPT6 -F
		$IPT6 -X
		$IPT6 -Z
		for table in $(</proc/net/ip6_tables_names)
		do 
			$IPT6 -t $table -F
			$IPT6 -t $table -X
			$IPT6 -t $table -Z 
		done
		$IPT6 -P INPUT ACCEPT
		$IPT6 -P OUTPUT ACCEPT
		$IPT6 -P FORWARD ACCEPT
	fi
else
        :
fi

#!/bin/bash
# reset.fw – Reset firewall
# set x to 0 – No reset
# set x to 1 – Reset firewall
# —————————————————————————————————————
# Added support for IPV6 Firewall
# —————————————————————————————————————
# Written by SXI ADMIN <[email protected]>
# —————————————————————————————————————
# You can copy / paste / redistribute this script under GPL version 2.0 or above
# =============================================================
x=1
# set to true if it is CentOS / RHEL / Fedora box
RHEL=false # set true if it is CentOS/RHEL v7.x or above
RHEL7=false ### no need to edit below ###
IPT=/sbin/iptables
IPT6=/sbin/ip6tables
if [ "$x" == "1" ];
then
if [ "$RHEL" == "true" ];
then
# reset firewall using redhat script
if [ "$RHEL7" == "true" ];
then
systemctl stop iptables
systemctl stop ip6tables
else ## old rhel <= v6.x ##
/etc/init.d/iptables stop
/etc/init.d/ip6tables stop
fi
else
# for all other Linux distro use following rules to reset firewall
### reset ipv4 iptales ###
$IPT -F
$IPT -X
$IPT -Z
for table in $(</proc/net/ip_tables_names)
do
$IPT -t $table -F
$IPT -t $table -X
$IPT -t $table -Z
done
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
### reset ipv6 iptales ###
$IPT6 -F
$IPT6 -X
$IPT6 -Z
for table in $(</proc/net/ip6_tables_names)
do
$IPT6 -t $table -F
$IPT6 -t $table -X
$IPT6 -t $table -Z
done
$IPT6 -P INPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT
$IPT6 -P FORWARD ACCEPT
fi
else
:
fi

Set permissions:
# chmod +x /root/reset.fw
Create cronjon to reset current configuration every 5 minutes, enter
# crontab -e
OR
# vi /etc/crontab
Append following settings:
*/5 * * * * root /root/reset.fw >/dev/null 2>&1
Please remember to set x to 0 once a working configuration has been created for your Linux system.

Dealing with command line rules

Run command over screen based session:
Your-iptable-rule-here && sleep 120 && /root/reset.fw
You can load the firewall rule and sleep for 120 seconds then disable/reset firewall using /root/reset.fw script.

A note about security

Also, rather than leaving your server vulnerable, it might be good to have it restore a known good version of the tables, or one locked down to nothing but ssh:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –sport 22 -m state –state ESTABLISHED,RELATED -j ACCEPT

For example one can update above script as follows:

...
	else
		# for all other Linux distro use following rules to reset firewall
		### reset ipv4 iptales ###
		$IPT -F
		$IPT -X
		$IPT -Z
		for table in $(</proc/net/ip_tables_names)
		do 
			$IPT -t $table -F
			$IPT -t $table -X
			$IPT -t $table -Z 
		done
		$IPT -P INPUT ACCEPT
		$IPT -P OUTPUT ACCEPT
		$IPT -P FORWARD ACCEPT
		#Uncommet to drop everything but only allow ssh over ipv4 ##
		#$IPT -P INPUT DROP
		#$IPT -P OUTPUT DROP
		#$IPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
		#$IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
		### reset ipv6 iptales ###
		$IPT6 -F
		$IPT6 -X
		$IPT6 -Z
		for table in $(</proc/net/ip6_tables_names)
		do 
			$IPT6 -t $table -F
			$IPT6 -t $table -X
			$IPT6 -t $table -Z 
		done
		$IPT6 -P INPUT ACCEPT
		$IPT6 -P OUTPUT ACCEPT
		$IPT6 -P FORWARD ACCEPT
	fi
...


else
# for all other Linux distro use following rules to reset firewall
### reset ipv4 iptales ###
$IPT -F
$IPT -X
$IPT -Z
for table in $(</proc/net/ip_tables_names)
do
$IPT -t $table -F
$IPT -t $table -X
$IPT -t $table -Z
done
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#Uncommet to drop everything but only allow ssh over ipv4 ##
#$IPT -P INPUT DROP
#$IPT -P OUTPUT DROP
#$IPT -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
#$IPT -A OUTPUT -p tcp –sport 22 -m state –state ESTABLISHED,RELATED -j ACCEPT
### reset ipv6 iptales ###
$IPT6 -F
$IPT6 -X
$IPT6 -Z
for table in $(</proc/net/ip6_tables_names)
do
$IPT6 -t $table -F
$IPT6 -t $table -X
$IPT6 -t $table -Z
done
$IPT6 -P INPUT ACCEPT
$IPT6 -P OUTPUT ACCEPT
$IPT6 -P FORWARD ACCEPT
fi

See also

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Article Tags:
Article Categories:
How To

Comments are closed.