I want to add whitelist in my system using iptables. So I searched the web and find this:
iptables -I INPUT -s 10.0.0.0/8 -j ACCEPT
iptables -I INPUT -s 127.0.0.1/8 -j ACCEPT
iptables -I INPUT -s 192.168.0.0/16 -j ACCEPT
iptables -P INPUT DROP
and it really works. So I fire iptable -F to delete all rules, then I cannot connect to this server anymore.
What's wrong?
What is the correct way to delete all rules ?
the chain policy for INPUT is set to DROP.
In absence of any rules, everything gets discarded.
before nuking all the chains, ensure all chains have a policy of ACCEPT a la iptables -P INPUT ACCEPT
In addition to the correct and helpful anwer of Olipro I would recommend something to
avoid the risk of being locked out by your firewall
Use a crontab-bound script which re-opens the firewall in case something went wrong; as you know you can make a mistake in your sshd_config whicht does not do real harm as long as you are still logged in. Not so with iptables: one mistake could be enough, and you are out. Therefor:
#!/bin/bash
# openFW.sh
IPT=$(which iptables)
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -F
NOW=$(date +"%H:%m")
echo "FW opened on %h at $NOW" | mail -s "FW reset cron job jh1" \
you@your.domain.com
logger "WARNING : iptables flushed and opened by cron job"
And with crontab -e place something like
#*/5 8-19 * * * /root/scripts/openFW.sh
to flush your iptables rules and open the FW every 5 mins. Uncomment this before you edit your rules; check the rules (be sure that they are available, and not already flushed by this cron job); after everything is fine comment the flush cron out
Hope this helps.
