I am working on an experiment. When I (client) ssh into a gateway and run sudo iptables --policy INPUT DROPthen the gateway doesn't accept any communucation (or input) from my client.
By running sudo iptables --policy INPUT ACCEPT on the gateway, then the client is able to write again.
My question is: How can I restore the situation from the client?
3 Answers
There are two things you should do to keep that system accessible before changing netfilter-rules:
- create an exception in the firewall rules for
sshfrom your machine - create a safeguard
create an exception
create an appropriate rule with iptables
sudo iptables -A INPUT -p tcp --dport ssh --source-address yourextIPadd -j ACCEPT(where yourextIPadd is the IP address of your machine at home, seen from the outside)
or utilizing ufw
If you have ufw installed already you can tell ufw to create an exception
sudo ufw allow from yourextIPadd to any port 22create a safeguard
Before issuing the command to alter the default-policy for netfilter to DROP you can tell the system to revert that command after (say) 5 minutes with the handy command at
sudo at -vM now +5 minutesnow you are in something like an editor, where you can type commands to be executed later, you close/end that by typing CTRLD.
Type
/sbin/iptables --policy INPUT ACCEPTCTRLD
You will see something like
sudo at -vM now +1 minute
Fri Aug 29 17:46:00 2014
warning: commands will be executed using /bin/sh
at> /sbin/iptables iptables --policy INPUT ACCEPT
at> <EOT>
job 5 at Fri Aug 29 17:46:00 2014Remarks
- you need to call
atwithsudo(it must beroot'sat table) - therefore no need for
sudowithin -vtellsatto show the intended execution time when you are finished-Mtellsatto send no e-mail regarding success/failure- for in-depth help with
iptableshave a look at the IPTables Howto
You can't... at least using an IP based connection protocol. Because your rule drops all incoming IP traffic coming to the gateway.
BTW, all protocols I know like ssh, vnc, rdp and so on, use IP.
i stumbled upon this question while i was researching other sorts of rules for iptables. and i thought i would throw in my own suggestion.
for the sake of example the following is a means for ensuring you dont lock YOURSELF out of your localhost. edit your IPs to suite your network topology. I dont know what others use for their IP range. my Suggestion or advice from a security standpoint when setting up your local network (home, but also business etc) dont use the 192.168.0.1 and instead use 10.0.0.0 ... Why? simple. Anything that isnt the DEFAULT imediately increases your security, even if by a tiny bit. Once an attacker gets in, they are pretty much in. and its only a matter of time before they figure out your network schema.
Hope this helps.
this setup also persist after rebooting your machine. so long as you ensure to execute netfilter-persistent save.
# Set default policies for all three default chains $ sudo iptables -P INPUT DROP $ sudo iptables -P FORWARD DROP $ sudo iptables-P OUTPUT ACCEPT # Enable free use of loopback interfaces $ sudo iptables -A INPUT -i lo -j ACCEPT $ sudo iptables -A OUTPUT -o lo -j ACCEPT #Dont lock yourself out $ sudo iptables -I INPUT 1 -i eth0 -p tcp --syn -m state --state NEW -s 192.168.0.1 -d 192.168.0.2 -j ACCEPT $ sudo iptables -I OUTPUT 1 -o eth0 -p tcp --syn -m state --state NEW -s 192.168.0.1 -d 192.168.0.2 -j ACCEPT # Allow your local subnet $ sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -s 192.168.0.1/24 -j DROP # Accept inbound TCP packets $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $ sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s 192.168.0.1/24 -j ACCEPT # Accept inbound ICMP messages $ sudo iptables -A INPUT -p ICMP --icmp-type 8 -s 192.168.0.1/24 -j ACCEPT $ sudo iptables -A INPUT -p ICMP --icmp-type 11 -s 192.168.0.1/24 -j ACCEPT # Accept outbound packets $ sudo iptables -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT $ sudo iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPTnext before you do anything else. you should execute
$ sudo iptables-save >> iptables-rules-ipv4.sh $ sudo netfilter-persistent save