Resetting your firewall (iptables) during testing
Posted Fri, 22 Jan 2010
Kind of sucks.
So you're going to start playing with some new firewall rules, but you learned from the past and now you have a cron(8) or at(8) job that will reset the firewall rules to permissive every so often, just in case you lock yourself out.
I used to do that. Until I realized today that I'm frankly too lazy to wait the N minutes I'll have to wait for my at(8) job to kick in.
Now I sniff packets and have a script trigger from that.
On the remote server, I'll use ngrep to watch for a specific payload in an icmp echo packet. This works because bpf(4) gets packets before the firewall has a chance to filter them, meaning even if you deny all packets, bpf(4) (libpcap, tcpdump, ngrep, etc) will still see those packets. Here's the script I use on the remote server:
# Look for any icmp echo packets containing the string 'reset-iptables' ngrep -l -Wnone -d any 'reset-iptables' 'icmp and icmp[icmptype] = icmp-echo' \ | grep --line-buffered '^I ' \ | while read line ; do iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT done
The ngrep line will output this whenever it sees a matching packet:
remotehost% ngrep -l -Wnone -d any 'reset-iptables' 'icmp and icmp[icmptype] = icmp-echo' interface: any filter: (ip) and ( icmp and icmp[icmptype] = icmp-echo ) match: reset-iptables ## I XX.XX.XX.XX -> XX.XX.XX.XX 8:0 ....reset-iptablesiptaWe'll grep for just the 'I' line, then trigger a full firewall reset.
I couldn't figure out how to use ping(8) and set a specific payload, so I'll use scapy.
workstation% echo 'sr1(IP(dst="remotehost.example.com")/ICMP(type="echo-request")/"reset-iptables")' | sudo scapyNow, if I accidentally lock myself out through firewall rule changes, I can trivially reset them using that 'echo | scapy' onliner.
Obviously, I don't keep the reset script running after the firewall rules are tested and known-good, but it's a great instant-gratification means to solving the locked-out problem you may face when testing new firewall rules.