What privodyatsya under the assumption of error in the IPTABLES?

Sooner or later everyone is faced with the human factor (in other words, "when a hand not from that place grow")
Assuming error in the config it can be easily fixed by adjusting the config again.
But in the case of iptables it is not so simple, because when copying a config, you can easily lose access (elementary error in the interface name or ip of the server, etc. etc.)

What I'm getting:
There is an option to write a bash script which will allow you to stick to one, then the Triger when the loss of communication with the server.

The logic is this:
Start a bash script with iptables rules
1) immediately after starting at regular intervals to the previous config:
2) apply a new rule chain and runs Triger
3) checked the Triger.
Versions of the Triger until you see the following:
create a file and
if it is removed for 1 minute:
if removed:
to check whether there is a connection to the server on ssh port (but not reliably)
to leave myself a loophole for the ssh port via an optional script and after 5 minutes delete it

What else is there?
March 12th 20 at 07:59
1 answer
March 12th 20 at 08:01
For example, we have deliberately fit rabochikh and eksperimentalnykh questionable health. Then do something like this:

( sleep 5 minutes ; apply rabochikh ) & # asynchronously (via ampersend) to run a resident program (a fork of the shell), which will sleep for 5 minutes and apply a working config
apply eksperimentalnykh

You have five minutes for testing.

But we need to make sure that when otvarivanie terminal resident did not die from SIGHUP. So it is necessary to use the program nohup.

Read docks on ipfw - where the topic is disassembled. Actually, I have a response built on what I remember from there.
Thank you. Ie ideally, the command should look like the following:
nohup $(sleep 300; /home/user/fw-prod.sh) & 

So? - Parker_Man commented on March 12th 20 at 08:04
Well, considering that I don't know which file does what, and I can only guess, apparently, so.
Here are just a dollar there is some kind of superfluous. nohup wants as arguments to the command, not the result of its work.
Perhaps the contents of the braces should be put in a separate script.

In any case, check my hypothesis with physical access to the console. Ie gash in fw-dev.sh something like "deny from any to any" and run - always on the network. Make sure that access to the system on the network - is gone. Sleep time for this experiment, put less. - lupe57 commented on March 12th 20 at 08:07

Find more questions by tags Information securityIptablesbash