home of the madduck/ blog/
A safer way to apply a new iptables ruleset

You probably now the feeling, that cold and hot rush of adrenaline after you've typed iptables-restore < new-ruleset and didn't get to see the shell prompt again: you've just locked yourself out of a machine that's potentially far away, and you feel like vanadlism, or screaming on the top of your lungs, or whatever.

In my series "scripts to the rescue" (uh, which doesn't exist as a series actually), here's a new one: iptables-apply (and docbook manpage), which will make things easier for you.

It applies the new ruleset and then prompts whether you like it. If you've locked yourself out, you cannot answer the prompt, and if you don't, the script rolls back the ruleset. Nice and simple. And surely beats my previous approach, which was:

echo 'iptables-restore < /etc/network/iptables' | at now + 2 min
iptables-restore < /etc/network/iptables.new
[...]
atrm ...
mv /etc/network/iptables{.new,}

Now I hope the iptables maintainer feels inclined to put the script in with the package (see #370292).