Join the community today
Register Now

Sysadmin I did the "iptables -F" accidentally - aws instance

Discussion in 'System Administration' started by guicz, Nov 18, 2020.

Tags:
  1. guicz

    guicz New Member

    3
    1
    3
    Nov 18, 2020
    Ratings:
    +1
    Local Time:
    12:34 PM
    1.19
    10.5
    Oh god, I accidentally did the "iptables -F" in the wrong console window and got locked out of the server.

    I know. I know....

    I rebooted it many times, like it was suggested here and had no luck trying to access the server.

    Even tried that "Connect to instance" in AWS panel but it is not working also.

    Tried to make a snapshot of the volume to download it and edit the iptables rules but got no success either.

    Do you guys have any idea of what can I do to get on again? I'm desperate here.

    Any suggestion will be very appreciated.

    Thanks in advance
     
  2. eva2000

    eva2000 Administrator Staff Member

    45,660
    10,359
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,078
    Local Time:
    1:34 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Ouch !!
    Rebooting server should work as CSF Firewall would generate it's config for iptables on reboot. Unless CSF Firewall service isn't starting up on reboot.
    That won't work as CSF Firewall configures iptables on start up on the fly AFAIK so whatever you setup in iptables will be overwritten. Unless of course if you add your own iptable rules into a manually created file at /etc/csf/csfpre.sh and give the file executable permissions 0755 or 0700. CSF Firewall will then load up whatever iptables rules or commands are in /etc/csf/csfpre.sh before it's own configuration.

    @fly uses Amazon EC2 server instances, maybe he knows something specific to EC2's handling of iptables -F
     
  3. eva2000

    eva2000 Administrator Staff Member

    45,660
    10,359
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,078
    Local Time:
    1:34 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Google-fu at work and this might work https://stackoverflow.com/a/56570399/272648 @fly ? But it assumes CSF Firewall is blocking you which may not be the case

    or EC2 user data Working with instance user data - Amazon Elastic Compute Cloud or Running commands on your Linux instance at launch - Amazon Elastic Compute Cloud. Seems only works if you EC2 instance has EBS volume
    I changed the ufw firewall command to CSF Firewall disable command -x
    Code (Text):
    #!/bin/bash
    csf -x
    iptables -L
    iptables -F
    

    or instead of csf -x to disable can try flush or restart with csf -f or csf -ra
    you'd need to run csf -e to enable it again after you get in.

    Never done this before so it's at your own risk
     
  4. guicz

    guicz New Member

    3
    1
    3
    Nov 18, 2020
    Ratings:
    +1
    Local Time:
    12:34 PM
    1.19
    10.5
    Guys, you not going to believe this...

    IT WORKEDDDD!!!11

    I did exactly like mentioned in the reply above.

    And, after recover the instance, don't forget to stop it again and restart.

    Thanks George, you are such a good inspiration for all of us using cmm stack.

    I've never needed any help with cmm (it is appropriate for my level of knowledge. Advanced but simple at the same time.) and I use is in all my servers for a good while now. Then, when I needed support you covered it for me.

    Thank you so much for all this years of making this great community around cmm.
     
  5. eva2000

    eva2000 Administrator Staff Member

    45,660
    10,359
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,078
    Local Time:
    1:34 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Nice glad to hear it worked out for you. Thanks for keeping us updated.

    Has me wondering about respective cloud providers' varying support for cloud-init and user data at launch and how it would help in situations like theses
     
  6. eva2000

    eva2000 Administrator Staff Member

    45,660
    10,359
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,078
    Local Time:
    1:34 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Follow up on that. I tested on Upcloud, Linode, Vultr, Hetzner and DigitalOcean some allow a server reboot to restart CSF Firewall to rebuild iptable rules but some don't. But all do allow you to log in via their respective out of band consoles and you can just do a CSF Firewall restart via csf -ra command and you should be able to regain SSH login access after accidentally running iptables -F. I have an upcoming article writeup with this info too.
     
  7. eva2000

    eva2000 Administrator Staff Member

    45,660
    10,359
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,078
    Local Time:
    1:34 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x