Re: IPCHains (Locked myself out) OOops... Way around it?

From: Brian Reichle (q1021606@mail.connect.usq.edu.ANTISPAM.au)
Date: 05/05/02


From: Brian Reichle <q1021606@mail.connect.usq.edu.ANTISPAM.au>
Date: Sun, 05 May 2002 17:47:38 +1000

Vladimir wrote:

> "Question all the way at the end:"
>
> I wrote an IP down from *.tw for hammering a "test" server I have.
>
> I wrote it under another IP I had. The IP I had was the actual box... (LMAO)
>
> I added.
>
> /sbin/ipchains -A input -j DENY -p all -l -s 65.170.xx.xxx/0 -d 0.0.0.0/0
>
> I accidentally noticed later that the actual IP is / was "one of few" that I
> had of the box. I know it's stupid, I laughed a little and than called
> myself stupid for not recalling the ip#s.
>

i have locked my self out from time to time as well (mostly due to
typeo's in the scrypt) but in my case all i had to do was attach a
keyboard + monitor to box and fix the problem.

> I was too lazy to create a "cron" job script to where I reboot the box it
> would flush the rules and than do a manual ipchains.rules recover command.
>
> I can't access the box from outside and I am 1/2 way around the States to go
> and check it out.
>
> Q.
> Does ipchains flush out of memory once rebooted? I can have someone from
> collocation data center reboot the pc for me.

yes, but if the rule is in one of the startup scripts then you might
need them remove the rule manualy.

i dont know about other distro's but by default redhat sets the
3-finger-salute to safely reboot the computer (as long as it is done
from the console and not X).

>
> One other thing I don't understand is Ip x.x.x.20 might be blocked but why
> isn't ip x.x.x.x.21 working?
> I tried logging in via 2nd IP I have on the box and get access but no can
> do. Nothing is working.
>

your rule will deny all packets (any source, any destination). '-s
65.170.xx.xxx/0' should probably be something allong the lines of '-s
65.170.xx.xxx/16'.

a hind for future referance: have a rule like

/sbin/ipchains -A input -p tcp -dport 21 -l -j ACCEPT

as your very first rule, this way you can always get in with ssh

another idea that i use, is if the box only has a few ip's each with its
own rule set. then make a userdefined chain for each ip and have the
main input chain send incomeing packets to the approperate chain.

/sbin/ipchains -N eth0_in
/sbin/ipchains -A eth0_in ......
...
...

/sbin/ipchains -N eth1_in
/sbin/ipchains -A eth1_in ......
...
...

/sbin/ipchains -A input -dport 21 -j ACCEPT
/sbin/ipchains -A input -d 123.45.67.80 -j eth0_in
/sbin/ipchains -A input -d 123.45.67.81 -j eth1_in
/sbin/ipchains -A input -l -j DENY



Relevant Pages

  • Re: IPCHains (Locked myself out) OOops... Way around it?
    ... > collocation data center reboot the pc for me. ... i dont know about other distro's but by default redhat sets the ... main input chain send incomeing packets to the approperate chain. ...
    (comp.security.firewalls)
  • Re: Iptables not saving...
    ... after reboot. ... Use "service iptables save" to save the current rules for use on the next ... Chain FORWARD (policy ACCEPT) ...
    (Fedora)
  • Re: System Restore Problem XP Home
    ... as the setting changes are applied. ... But as with any system function ... I would think a reboot is in order. ... the chain or points are invalid you have no options but to turn off SR, ...
    (microsoft.public.windowsxp.general)
  • Re: Iptables not saving...
    ... If you want them to be saved, redirect output not to ... after reboot. ... Chain FORWARD (policy ACCEPT) ...
    (Fedora)