Remotely configuring iptables

dgingeri

2[H]4U
Joined
Dec 5, 2004
Messages
2,830
I have two Ubuntu haproxy servers that I need to configure remotely to block all traffic except http/https from anyone and SSH traffic from our HQ.

I'm working on formulating the commands, but I need one vital piece of information before I run them: If I run a script to configure iptables that disconnects my SSH session with its first step, will the rest of the script still execute?

The reason I ask is that I need to have the first step set the firewall to reject everything by default, which means my SSH session will be disconnected. The rest of the steps would then allow the SSH session back in and allow for web traffic. At least, in theory. (With our production stack, this was all done through Salt, by someone else who is now on vacation, but I am unable to get Salt to work with the QA stack.) So, would this work?
 
I have two Ubuntu haproxy servers that I need to configure remotely to block all traffic except http/https from anyone and SSH traffic from our HQ.

I'm working on formulating the commands, but I need one vital piece of information before I run them: If I run a script to configure iptables that disconnects my SSH session with its first step, will the rest of the script still execute?

The reason I ask is that I need to have the first step set the firewall to reject everything by default, which means my SSH session will be disconnected. The rest of the steps would then allow the SSH session back in and allow for web traffic. At least, in theory. (With our production stack, this was all done through Salt, by someone else who is now on vacation, but I am unable to get Salt to work with the QA stack.) So, would this work?
I'd expect it to terminate your session and probably whatever is running in it. I'd look at using the screen command so you can reattach to the session.
 
yeah, I was shown how to use screen once, but I didn't get it at all.
 
Nixcraft has a pretty good page showing usage and list of hotkeys. You might give it a look and try a few examples. ex. ssh in, start screen, run top, detach from that, exit ssh, try to get back to it.
https://www.cyberciti.biz/tips/linux-screen-command-howto.html
Ah, that helped a lot.

screen
cat /etc/haproxy/haproxy.cfg
(end putty session)
(log back into putty)
screen -r

and I was right back to seeing the output from the cat command. That was pretty cool. Now I know I can run this script. I just need to have an expert look over the script to make sure it does what I hope it does.
 
Why aren't you using ufw, it's standard on Ubuntu and a lot easyer to configure.

First create a rule to allow SSH etc. port 22 from your office ip and 443 , 80 globally. Then activate ufw and block all traffic. The 'allow' setting is always stronger than deny.
 
So if I put "iptables -A INPUT -s A.B.C.D/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT" in ahead of "iptables -P INPUT DROP", it might stay connected and run the rest of the script?
 
What if I told you I may have a program written in w/Qt that lets you define rules in a GUI and that noone else has it
And I'd have to see if it'll compile on the new shit


Edit: it will take a while.
 
What if I told you I may have a program written in w/Qt that lets you define rules in a GUI and that noone else has it
And I'd have to see if it'll compile on the new shit


Edit: it will take a while.
That would be exceedingly useful, IMO. However, as this is for a QA environment designed to mirror a specifically defined production environment, I can't introduce any additional variables that might throw off testing. So, my boss would probably not let me use it.
 
Why aren't you using ufw, it's standard on Ubuntu and a lot easyer to configure.

First create a rule to allow SSH etc. port 22 from your office ip and 443 , 80 globally. Then activate ufw and block all traffic. The 'allow' setting is always stronger than deny.

Generally speaking, iptables does more. UFW was just created as a front end for iptables. It also sounds like what he is trying to do is verify first that an explicit deny all will work, then he is adding in the allow statements before the deny and verifying that only the specific services from specific systems in a specific direction are then allowed to work.

The reason I ask is that I need to have the first step set the firewall to reject everything by default, which means my SSH session will be disconnected. The rest of the steps would then allow the SSH session back in and allow for web traffic. At least, in theory. (With our production stack, this was all done through Salt, by someone else who is now on vacation, but I am unable to get Salt to work with the QA stack.) So, would this work?

Why do you have to run the script from your machine? Why not scp it over to the target machine, run the script on that machine. Have the script remove itself at the end.

EDIT: Although if it were me, I would write the iptables file, test it on a system to verify it does what I want it to do, then copy over the iptables file to the machine I want it to run on and restart iptables.
 
Last edited:
Good point about the test system, especially since our resident Linux expert is out on vacation for another week. However, I'd do it a little differently. I already wrote up the script on notepad, and was going to vi a new file and just paste it in through putty, and then run it. I can test it on a virtualbox vm on my main machine and make sure the commands take properly, then paste it into the QA proxy machines after testing. No need to transfer files.
 
Good point about the test system, especially since our resident Linux expert is out on vacation for another week. However, I'd do it a little differently. I already wrote up the script on notepad, and was going to vi a new file and just paste it in through putty, and then run it. I can test it on a virtualbox vm on my main machine and make sure the commands take properly, then paste it into the QA proxy machines after testing. No need to transfer files.

Technically when you are pasting it in through putty you are doing a file transfer. File transfers over SSH, which is what putty uses typically, use scp. :D But yes, copy/paste should work just as well.
 
Alrighty, done. The script worked well, and using screen was unnecessary, as the script executed fast enough I did not lose connection. Thanks all.
 
Alrighty, done. The script worked well, and using screen was unnecessary, as the script executed fast enough I did not lose connection. Thanks all.

Sweet. Good job. Tell your boss I now authorize you to take the rest of the day off :ROFLMAO:
 
Generally speaking, iptables does more. UFW was just created as a front end for iptables. It also sounds like what he is trying to do is verify first that an explicit deny all will work, then he is adding in the allow statements before the deny and verifying that only the specific services from specific systems in a specific direction are then allowed to work.

Which is why you can use the simple interface of ufw to do the commands and then double check the iptables. My closest server is 100 miles away so I tend to be pretty careful with configuring the network remotely :)
 
Back
Top