iptables flush and ssh

Fun lesson from today: don’t blindly clear/flush your iptables.

If you are remotely managing a system, then make sure you run this:

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

before you run this:

sudo iptables -F

It turns out there are people who will write default block (“policy DROP”) style rules (instead of the using a default “policy ACCEPT” and ending with REJECTs/DROPs at the end that match everything). If the default policy is not ACCEPT, then clearing the rules will immediately remove your ssh access to the machine.

The lack of a default “policy REJECT” is one reason you will see more “policy ACCEPT” – because then, at the end, you can choose between REJECT or DROP. If you write your rules “in the other direction”, you loose the flexibility to choose – you must DROP. There are numerous posts on why DROP is not necessarily better than REJECT. (“Attackers don’t really feel any pain with DROP, but your legitimate users sure do”.)

This entry was posted in Software Engineering, Ubuntu. Bookmark the permalink.