Linux – apply back firewall after iptables flush

centosfirewalllinux

yesterday i got my self locked from my own server. and than i try to flush iptables from another server to get it unlocked as this question response 3 times fail then lock

After that, i cannot login to the server. i ask support from the customer service and finally i can login as before.

he (customer service) reboot the server and execute iptables -A INPUT -p tcp –dport 22 -j ACCEPT and shutdown the firewall.

and now i want the firewall back as before it flushed.

is it possible to do that? and how to do that?

i read from other forum, they said with just reboot the machine it the ip table will restore to previous state. is it right?

Best Answer

The firewall as configured by iptables is ephermal. It's never saved and must be reloaded on each boot. Normally there is a script in init.d that loads the iptables rules on boot. When flushing the rules with iptables -F, that only flushes what the Kernel knew, but doesn't affect how the firewall will be setup on next boot. Every distribution is different. Fedora uses a init.d script called /etc/init.d/iptables that just runs iptables-restore /etc/sysconfig/iptables or something like that. Ubuntu uses ufw which calls a series of iptables commands based on local configuration. If all you did was run iptables commands and didn't store anything to a file, then a reboot should restore the firewall. If you know which init.d script, you can probably just reload that script to restore instead of a full reboot.

Related Solutions

Iptables – ftp tls firewalled :(

In Passive mode, when the client wants to get a file from the server or send a file to the server, the FTP server will pick a random port and send that port to the FTP client.

When you're not using encryption, a properly configured firewall (using the ip_conntrack_ftp helper kernel module, which may be what you're missing for non-TLS connections) would "listen in" on the connection and mark these connections as RELATED. With encryption the firewall can't listen in.

The quick and dirty solution to this is to configure the FTP server to choose a small range of ports for passive connections, and then allow access to all of these ports. For instance, in vsftpd:

pasv_min_port=12000
pasv_max_port=12049

Then in iptables:

iptables -A INPUT -p tcp -m tcp -i eth0 --dport 12000:12049 -j ACCEPT

Allowing anyone to access these ports opens one possible exploit: if someone were to be scanning them over and over they might get lucky and be able to "beat" the real user to the data port and grab the file. Ideally your FTP server would check and make sure the connection is coming from the same place as the original connection, but thanks to things like "FXP" (transferring files from one server to another server by convincing one to make an active connection to the other's passive data port) some servers don't check the connection by default. You should check your configuration file and see if there is an option to disable FXP, and use it. (vsftpd calls this "promiscuous" and is disabled by default.)

Firewall – Hardware Firewall vs. Software Firewall (IP Tables, RHEL)

Hardware firewalls are running software too, the only real difference is that the device is purpose built and dedicated to the task. Software firewalls on servers can be just as secure as hardware firewalls when properly configured (note that hardware firewalls are generally 'easier' to get to that level, and software firewalls are 'easier' to screw up).

If you're running outdated software, there's likely a known vulnerability. While your server might be susceptible to this attack vector, stating that it is unprotected is inflammatory, misleading, or a boldface lie (depends on what exactly they said and how they meant it). You should update the software and patch any known vulnerabilities regardless of the probability of exploitation.

Stating that IPTables is ineffective is misleading at best. Though again, if the one rule is allow everything from all to all then yeah, it wouldn't be doing anything at all.

Side Note: all my personal servers are FreeBSD powered and use only IPFW (built-in software firewall). I have never had a problem with this setup; I also follow the security announcements and have never seen any issues with this firewall software.
At work we have security in layers; the edge firewall filters out all the obvious crap (hardware firewall); internal firewalls filter traffic down for the individual servers or location on the network (mix of mostly software and hardware firewalls).
For complex networks of any kind, security in layers is most appropriate. For simple servers like yours there may be some benefit in having a separate hardware firewall, but fairly little.

Best Answer

Related Solutions

Iptables – ftp tls firewalled :(

Firewall – Hardware Firewall vs. Software Firewall (IP Tables, RHEL)

Related Topic