If there is a local user that I can talk through logging in to the console:
1) ssh into the machine.
2) create an /etc/sysconfig/iptables that is completely open , nothing blocked at all.
3) create a copy called /etc/sysconfig/iptables.emergency.restore
4) create a bash script and sudo user that can copy iptables.emergency.restore back over iptables. ( script should also restart iptables)
5) test to make sure that that user can in fact run the script and it does overwrite iptables and restart the daemon.
6) make changes to /etc/sysconfig/iptables as required to tighten things up. (don't forget to allow ssh from your ip!!!)
7) test to make sure you are not locked out and that the users can still get everything they need.
8) tweak as needed.
9) copy /etc/sysconfig/iptables to /etc/sysconfig/iptables.last.working
10) create a script and sudo user that can copy iptables.last working over top of iptables.
11) every time you tweak the iptable rules, test for a day then copy iptables to iptables.last.working
You now have 3 choices when you lock yourself out.
1) Talk a local user through logging onto the console and restoring to iptables.emergency.restore
2) Talk a local user through logging onto the console and restoring to iptables.last working
3) Talk a local user through logging onto the console and shutting iptables off manually.
If there is no local user that I can talk through logging into the console I do the above except that I put the iptables.last.working script onto the end of /etc/rc.local .
This way a reboot gets me back to a known good state. If you are really stuck you can at least have someone kick the cord out for you.
-- Jonathan Crowe System Administrator for Sage Systems, Inc. 425-451-2484 x 3025
-- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
