Sysadmin I did the "iptables -F" accidentally - aws instance

guicz · Nov 18, 2020

Oh god, I accidentally did the "iptables -F" in the wrong console window and got locked out of the server.

I know. I know....

I rebooted it many times, like it was suggested here and had no luck trying to access the server.

Even tried that "Connect to instance" in AWS panel but it is not working also.

Tried to make a snapshot of the volume to download it and edit the iptables rules but got no success either.

Do you guys have any idea of what can I do to get on again? I'm desperate here.

Any suggestion will be very appreciated.

Thanks in advance

eva2000 · Nov 19, 2020

Ouch !!

guicz said: ↑

I rebooted it many times, like it was suggested here and had no luck trying to access the server.
Click to expand...

Rebooting server should work as CSF Firewall would generate it's config for iptables on reboot. Unless CSF Firewall service isn't starting up on reboot.

guicz said: ↑

Tried to make a snapshot of the volume to download it and edit the iptables rules but got no success either.
Click to expand...

That won't work as CSF Firewall configures iptables on start up on the fly AFAIK so whatever you setup in iptables will be overwritten. Unless of course if you add your own iptable rules into a manually created file at /etc/csf/csfpre.sh and give the file executable permissions 0755 or 0700. CSF Firewall will then load up whatever iptables rules or commands are in /etc/csf/csfpre.sh before it's own configuration.

@fly uses Amazon EC2 server instances, maybe he knows something specific to EC2's handling of iptables -F

eva2000 · Nov 19, 2020

Google-fu at work and this might work https://stackoverflow.com/a/56570399/272648 @fly ? But it assumes CSF Firewall is blocking you which may not be the case

or EC2 user data Working with instance user data - Amazon Elastic Compute Cloud or Running commands on your Linux instance at launch - Amazon Elastic Compute Cloud. Seems only works if you EC2 instance has EBS volume

User data and the console
You can specify instance user data when you launch the instance. If the root volume of the instance is an EBS volume, you can also stop the instance and update its user data.
Click to expand...
1- Stop your instance

2- Go to `Instance Settings -> View/Change user Data

3- Paste this
Code (Text):
Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0
--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"
#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"
#!/bin/bash
csf -x
iptables -L
iptables -F
--//
4- Start your instance
Click to expand...
I changed the ufw firewall command to CSF Firewall disable command -x
Code (Text):
#!/bin/bash
csf -x
iptables -L
iptables -F
or instead of csf -x to disable can try flush or restart with csf -f or csf -ra
you'd need to run csf -e to enable it again after you get in.

Never done this before so it's at your own risk

guicz · Nov 20, 2020

Guys, you not going to believe this...

IT WORKEDDDD!!!11

I did exactly like mentioned in the reply above.

And, after recover the instance, don't forget to stop it again and restart.

Thanks George, you are such a good inspiration for all of us using cmm stack.

I've never needed any help with cmm (it is appropriate for my level of knowledge. Advanced but simple at the same time.) and I use is in all my servers for a good while now. Then, when I needed support you covered it for me.

Thank you so much for all this years of making this great community around cmm.

eva2000 · Nov 20, 2020

Nice glad to hear it worked out for you. Thanks for keeping us updated.

Has me wondering about respective cloud providers' varying support for cloud-init and user data at launch and how it would help in situations like theses

eva2000 · Nov 21, 2020

eva2000 said: ↑

Has me wondering about respective cloud providers' varying support for cloud-init and user data at launch and how it would help in situations like theses
Click to expand...

Follow up on that. I tested on Upcloud, Linode, Vultr, Hetzner and DigitalOcean some allow a server reboot to restart CSF Firewall to rebuild iptable rules but some don't. But all do allow you to log in via their respective out of band consoles and you can just do a CSF Firewall restart via csf -ra command and you should be able to regain SSH login access after accidentally running iptables -F. I have an upcoming article writeup with this info too.

eva2000 · Nov 21, 2020

@guicz I've written up a blog article outlining how to regain SSH access after running iptables -F for Upcloud, Linode, DigitalOcean, Vultr, Hetzner and Amazon AWS EC2 servers at https://blog.centminmod.com/2020/11...er-being-locked-out-by-iptables-csf-firewall/

Log in / Register

Forums

Join the community today

Sysadmin I did the "iptables -F" accidentally - aws instance

guicz New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

guicz New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Sysadmin I did the "iptables -F" accidentally - aws instance

guicz New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

guicz New Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

.