Emergency-stop

Written by Ger Apeldoorn on. Posted in Sysadmin

When upgrading the Puppet master (or messing things up) it can be useful to have a quick script that enables the firewall and stops incoming connections.

This is a simple script that enables that. Note that it assumes that the normal situation does not have any firewall-rules running.

/usr/local/bin/puppetstop:

#!/bin/bash
# This script blocks all connections. Exceptions can be made in /etc/sysconfig/iptables-emergencystop
iptables-restore < /etc/sysconfig/iptables-emergencystop
mv /etc/sysconfig/iptables-emergencystop /etc/sysconfig/iptables

/etc/sysconfig/iptables-emergencystop:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [611449:52637218]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -s [puppetmaster-IP] -m tcp -j ACCEPT
-A INPUT -p tcp -s [testmachine-ip] -m tcp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

/usr/local/bin/puppetstopundo:

#!/bin/bash
iptables -F
mv /etc/sysconfig/iptables /etc/sysconfig/iptables-emergencystop

/usr/local/bin/puppetenable

#!/bin/bash
if [ $# -eq 0 ]
  then
    echo "No arguments supplied"
fi
iptables -I INPUT -p tcp -s $1 -m tcp -j ACCEPT