Community discussions

MikroTik App
 
ljwobker
just joined
Topic Author
Posts: 6
Joined: Fri Jul 30, 2021 9:33 pm

Can you make “non-permanent” edits to iptables / firewall rules?

Fri Aug 06, 2021 4:27 am

Is there some way that you can muck about with iptables in a “temporary” way such that if you screw up(*) and do something stupid like lock yourself out of the router, you can fix it by just doing a reboot instead of a full-on factory reset?

Most major network operating systems have something like this (Cisco IOS XR calls it “commit confirm” - that’s the one I’m most familiar with…)

Even if there was some way to do this with a script, it would still be really useful. Something like a shell command that says:

“Hey, you, router! Launch this process here in the background, and if I don’t come back within the next [some amount of time] and kill you, I want you to replace whatever I’ve done with the iptables rules with this file, which is a known-good-enough config”.

I have to think that if routerOS is really just a linux OS that this would not be terribly difficult, but I don’t know enough about iptables or where/how routerOS stores this state to be able to make much progress on this myself…. But it does seem like it would be useful. :-)


* note- everyone screws up.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Can you make “non-permanent” edits to iptables / firewall rules?

Fri Aug 06, 2021 11:05 am

Make yourself familiar with "safe mode".
When you enable it, it will keep an undo buffer for everything you do.
When you lock yourself out, it will undo those changes from the moment you enabled safe mode.
Only when you disable safe mode yourself, the changes will be committed.

It is documented here for commandline: https://wiki.mikrotik.com/wiki/Manual:Console#Safe_Mode
But it also exists in winbox and webfig, as a button.

Note that this isn't always a solution, when you make a change that will temporarily remove your access but
will later re-establish it, e.g. a change that takes down and re-establishes a VPN, you cannot use this because
it will always roll back your changes. But for firewall changes it usually is OK.

Do not keep it enabled longer than you really need. It is easy to forget that it is on, and lose all your work.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can you make “non-permanent” edits to iptables / firewall rules?

Fri Aug 06, 2021 11:16 am

As @pe1chl say, use safe mode, but...

Backup the current configuration,
schedule auto reload backup after 10?, 15?, 20? minutes.

If you shut yourself out for some reason, everything returns as before after the time you have chosen.
This also allows you to work with VPNs and more, because when you lose your connection, it doesn't reset right away,
leaving you time to reconnect to the machine and continue working.

Who is online

Users browsing this forum: teleport and 32 guests