If you use local firewall rules and tcp wrappers on a remote host where you might get locked out, with no easy way to get logged in again, here is a quick howto on playing it safe. The trick is to setup a couple cron jobs to undo whatever you stuffed up.
I scheduled two 10 minute recurring jobs. Gives you 10 minute windows of configuring/testing before security resets.
Set two cron jobs:
| [root@kanyakonil root]# crontab -l/10* * * * cp/root/hosts.deny /etc/hosts.deny/10* * * * /sbin/iptables--flush | 
Tcp wrappers:
I made a copy of /etc/hosts.deny file in /root and then waited for the next cron run to test if the copy is really working as expected.
It looked good after cron ran.
| # cat /etc/hosts.deny#...#ALL: ALL | 
Now uncomment the ALL: ALL line in the real /etc/hosts.deny and start testing /etc/hosts.allow rules.
| # more /etc/hosts.allow...# Host allowed to SSHsshd: xx.xx.xx.xx | 
Test from non allowed and allowed host.
| Feb 24 05:32:56 kanyakonil sshd[12346]: pam_unix(sshd:session): session opened foruser aharon by (uid=0)Feb 24 05:33:43 kanyakonil sshd[12380]: refused connect from host.domain.com (::ffff:xx.xx.xx.xx)Feb 24 05:34:34 kanyakonil sshd[12386]: Accepted password foraharon from xx.xx.xx.xx port 37415 ssh2Feb 24 05:34:34 kanyakonil sshd[12386]: pam_unix(sshd:session): session opened foruser aharon by (uid=0) | 
Now lets go tune the firewall rules…
List rules:
| # iptables --listChain INPUT (policy ACCEPT)target     prot opt sourcedestinationACCEPT     all  --  anywhere             anywhereACCEPT     icmp --  anywhere             anywhere            icmp anyACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHEDACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcacheACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgrACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysqlACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-brokerACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:sshACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtpACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:httpACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftpACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:httpsREJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)target     prot opt sourcedestinationChain OUTPUT (policy ACCEPT)target     prot opt sourcedestination | 
Saved rules in this file:
| # cat /etc/sysconfig/iptables# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]-A INPUT -i lo -j ACCEPT-A INPUT -p icmp --icmp-typeany -j ACCEPT-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT | 
Delete unneeded rules:
| # iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT | 
Check (and test using something like nmap):
| # iptables --listChain INPUT (policy ACCEPT)target     prot opt sourcedestinationACCEPT     all  --  anywhere             anywhereACCEPT     icmp --  anywhere             anywhere            icmp anyACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHEDACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgrACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-brokerACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:sshACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:httpACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:httpsREJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)target     prot opt sourcedestinationChain OUTPUT (policy ACCEPT)target     prot opt sourcedestination | 
kanyakonil@philip:~$ sudo nmap -A -T4 192.168.1.3
Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-16 22:42 WIT
Interesting ports on 192.168.1.3:
Not shown: 1693 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.0 ((Linux/SUSE))
113/tcp closed auth
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)
MAC Address: 00:0D:88:B3:72:F3 (D-Link)
Device type: general purpose|WAP|specialized|storage-misc|broadband router
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), Siemens linux (93%), Atmel Linux 2.6.X (92%), Inventel embedded (89%), Linksys Linux 2.4.X (89%), Asus Linux 2.4.X (89%), Maxtor Linux 2.4.X (89%), Netgear embedded (87%)
Aggressive OS guesses: Linux 2.6.13 – 2.6.18 (97%), Siemens Gigaset SE515dsl wireless broadband router (93%), Linux 2.6.11 – 2.6.15 (Ubuntu or Debian) (93%), Linux 2.6.15-27-686 (Ubuntu Dapper, X86) (93%), Atmel AVR32 STK1000 development board (runs Linux 2.6.16.11) (92%), Linux 2.6.14 – 2.6.17 (92%), Linux 2.6.17 – 2.6.18 (x86) (92%), Linux 2.6.17.9 (X86) (92%), Linux 2.6.9-42.0.2.EL (RedHat Enterprise Linux) (92%), Linux 2.6.9 – 2.6.12 (x86) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 58.830 seconds
Save the rules:
| # service iptables saveSaving firewall rules to /etc/sysconfig/iptables:          [  OK  ] | 
Check stored rules:
| # cat /etc/sysconfig/iptables# Generated by iptables-save v1.3.5 on Fri Feb 24 05:48:21 2012*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [734:96465]-A INPUT -i lo -j ACCEPT-A INPUT -p icmp -m icmp --icmp-typeany -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 3001 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT-A INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT# Completed on Fri Feb 24 05:48:21 2012 | 
Check running rules:
| # iptables --listChain INPUT (policy ACCEPT)target     prot opt sourcedestinationACCEPT     all  --  anywhere             anywhereACCEPT     icmp --  anywhere             anywhere            icmp anyACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHEDACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgrACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-brokerACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:sshACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:httpACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:httpsREJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibitedChain FORWARD (policy ACCEPT)target     prot opt sourcedestinationChain OUTPUT (policy ACCEPT)target     prot opt sourcedestination | 
