[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hardening checkpoints


> > */3 *	* * *	root	iptables -A INPUT -i eth0 -p tcp -s
> > MY_WORKSTATION_IP --dport 22 -j ACCEPT && echo "issued iptables cmd"
> >
> > | mail -a "From: root@${HOSTNAME}" -s "[iptables-keepalive]"
> >
> > my@email_address.com
> >
> > That does 2 things:
> >
> > 1. guarantees my access to the machine no matter how stupid I am
> > configuring shorewall :)
> Actually, iptables -A INPUT will _append_ a rule to your INPUT chain
> (iptables(8)), and this won't help you if your connection is matched by
> an earlier blocking rule. To really make sure that you can reach the
> machine after a failed firewall-reconfiguration, replace -A with -I,
> which makes the rule inserted at the head of the chain, and hence, the
> first rule to be matched.

this also wont help you if you lock yourself out with a rule in the mangle or 
nat table.

I think
iptables -t mangle -I PREROUTING 1 -i eth0 -p tcp -s $MY_WORKSTATION_IP 
--dport 22 -j ACCEPT

should be the better way to do it your way.


Reply to: