IPTable-- how to not lock myself out--

[x201s]

I have been learning these tricks recently, often the hard way. More than often, I am locked out from accessing the remote server.

I have the following lines in my iptables. I think I need to add some ins and outs, because right now, I am allowing all outbound traffic.

I want to add a line somewhere that makes sure that I have ssh access (local access) even if I screw up things in the following lines.

I am using RHEL 5.6.

(1) What line, and where do I add? Gurus, please help.

Code:

*filter
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:FORWARD DROP [0:0]
:myFirewall_Input - [0:0]
-A INPUT -j myFirewall_Input


#### Output Chain add ###
:myFirewall_Output - [0:0]
-A OUTPUT -j myFirewall_Output 

#loopback
-A myFirewall_Input -i lo -j ACCEPT

#ping 
-A myFirewall_Input -p icmp --icmp-type 8 -s <IP> -j ACCEPT
-A myFirewall_Output -p icmp --icmp-type 8 -s <IP> -j ACCEPT


#ssh local only
-A myFirewall_Input -m tcp -p tcp -s <IP> --dport 22 -j ACCEPT
-A myFirewall_Output -m tcp -p tcp -s <IP> --dport 22 -j ACCEPT

#80 is ok from all
-A myFirewall_Input -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

#outgoing is unrestricted
-A myFirewall_Output -m tcp -p tcp -s <IP> -j ACCEPT

(2)
I do not know if I have things that is not necessary and/or things I better have, considering security.

I mean, if I have this for ping:
-A myFirewall_Input -p icmp --icmp-type 8 -s <IP> -j ACCEPT
do I need this?
-A myFirewall_Output -p icmp --icmp-type 8 -s <IP> -j ACCEPT

same for the ssh.

(3)I want to define a variable for IP and use that variable throughout. Currently, I am using real numbers for <IP>

I want to define like:
hostIP = "nnn.nnn.nnn.nnn"
and later on, say,
-A myFirewall_Output -p icmp --icmp-type 8 -s $hostIP -j ACCEPT

I couldn't make it work. Any comments?

Question (1) is very important for me-- I don't want to go to the server room everytime I make mistake. (3) is just for convenience, nice to have, but can do w/o. (2) is in between.

Thank you for taking time to read.

[Lazydog]

I have been learning these tricks recently, often the hard way. More than often, I am locked out from accessing the remote server.

I have the following lines in my iptables. I think I need to add some ins and outs, because right now, I am allowing all outbound traffic.

I want to add a line somewhere that makes sure that I have ssh access (local access) even if I screw up things in the following lines.

I am using RHEL 5.6.

(1) What line, and where do I add? Gurus, please help.

I was never a big fan of how RH builds the firewall as it can be very misleading until you understand how it works.

Here is a firewall I put together for you. It is easier to read and understand.

Code:

*filter
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:FORWARD DROP [0:0]
#
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -j ACCEPT 
#
-A OUTPUT -i lo -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

This is a STATEFUL firewall meaning it is connection based.

All connection that first come in are considered NEW when they are allowed and preforming their 3-way-hand-.shake.

After a successful hand-shake they are now considered ESTABLISHED and the connection information is added to the connection tracking db that iptables maintains.

Forks of the ESTABLISHED connections, like with ftp, are considered RELATED connections.

(2) I do not know if I have things that is not necessary and/or things I better have, considering security.

I mean, if I have this for ping:
-A myFirewall_Input -p icmp --icmp-type 8 -s <IP> -j ACCEPT
do I need this?
-A myFirewall_Output -p icmp --icmp-type 8 -s <IP> -j ACCEPT

PING uses many icmp-types depending on what function it is preforming.
Have a look at the WIKIPEDIA ICMP page for a better understanding.

same for the ssh.

Look at what I have done above for SSH.

(3)I want to define a variable for IP and use that variable throughout. Currently, I am using real numbers for <IP>

I want to define like:
hostIP = "nnn.nnn.nnn.nnn"
and later on, say,
-A myFirewall_Output -p icmp --icmp-type 8 -s $hostIP -j ACCEPT

I couldn't make it work. Any comments?

Yes, what you want to do can only be done in a script. The file that IPTABLES reads needs real ip addresses. Variables are not allowed.

Question (1) is very important for me-- I don't want to go to the server room everytime I make mistake.

As long as you do not change the first 3 lines of the INPUT rules and theOUTPUT rules your ssh connection should alway work. Remember to alway place any modification to the rules after the first 3 lines so you do not get disconnected.

(3) is just for convenience, nice to have, but can do w/o. (2) is in between.

Thank you for taking time to read.

You could read up on IPTABLES HERE. A lot of good information in there.