Re: IPCHains (Locked myself out) OOops... Way around it?

From: Brian Reichle (
Date: 05/05/02

From: Brian Reichle <>
Date: Sun, 05 May 2002 17:47:38 +1000

Vladimir wrote:

> "Question all the way at the end:"
> I wrote an IP down from *.tw for hammering a "test" server I have.
> I wrote it under another IP I had. The IP I had was the actual box... (LMAO)
> I added.
> /sbin/ipchains -A input -j DENY -p all -l -s -d
> I accidentally noticed later that the actual IP is / was "one of few" that I
> had of the box. I know it's stupid, I laughed a little and than called
> myself stupid for not recalling the ip#s.

i have locked my self out from time to time as well (mostly due to
typeo's in the scrypt) but in my case all i had to do was attach a
keyboard + monitor to box and fix the problem.

> I was too lazy to create a "cron" job script to where I reboot the box it
> would flush the rules and than do a manual ipchains.rules recover command.
> I can't access the box from outside and I am 1/2 way around the States to go
> and check it out.
> Q.
> Does ipchains flush out of memory once rebooted? I can have someone from
> collocation data center reboot the pc for me.

yes, but if the rule is in one of the startup scripts then you might
need them remove the rule manualy.

i dont know about other distro's but by default redhat sets the
3-finger-salute to safely reboot the computer (as long as it is done
from the console and not X).

> One other thing I don't understand is Ip x.x.x.20 might be blocked but why
> isn't ip x.x.x.x.21 working?
> I tried logging in via 2nd IP I have on the box and get access but no can
> do. Nothing is working.

your rule will deny all packets (any source, any destination). '-s' should probably be something allong the lines of '-s'.

a hind for future referance: have a rule like

/sbin/ipchains -A input -p tcp -dport 21 -l -j ACCEPT

as your very first rule, this way you can always get in with ssh

another idea that i use, is if the box only has a few ip's each with its
own rule set. then make a userdefined chain for each ip and have the
main input chain send incomeing packets to the approperate chain.

/sbin/ipchains -N eth0_in
/sbin/ipchains -A eth0_in ......

/sbin/ipchains -N eth1_in
/sbin/ipchains -A eth1_in ......

/sbin/ipchains -A input -dport 21 -j ACCEPT
/sbin/ipchains -A input -d -j eth0_in
/sbin/ipchains -A input -d -j eth1_in
/sbin/ipchains -A input -l -j DENY