You’ve accidentally run the SSH command iptables -F
and have locked yourself out of your server and can not SSH login again. So how do you regain SSH access? Centmin Mod LEMP stack uses CSF Firewall which is a wrapper interface to CentOS system’s underlying IPTables. If you run the SSH command, iptables -F
you may end up locking yourself out of the server as this command flushes all the existing IPTable rules that are configured and setup by CSF Firewall at startup. This guide will outline ways you can possibly regain SSH access using example VPS providers – Upcloud, DigitalOcean, Vultr, Linode, Hetzner and Amazon AWS EC2 instance servers.
Affiliate referral links are used where appropriate. So if you like this guide, please consider signing up via the links.
- Background
- What Happens When You Flush IPTables?
- How To Regain Lost SSH Access After IPTables Flushing?
Background
Centmin Mod’s MOTD banner displayed on initial SSH login even mentions and warns against running iptables -F as you can see below excerpt:
=============================================================================== # ! This server maybe running CSF Firewall ! # DO NOT run the below command or you will lock yourself out of the server: # # iptables -F
the full MOTD banner on initial SSH login displayed to the user looks like this:
=============================================================================== - Hostname......: hostname.domain.com on CentOS Linux 7.9.2009 - Users.........: Currently 2 user(s) logged on (includes: root) =============================================================================== - CPU usage.....: 0.25, 0.14, 0.12 (1, 5, 15 min) - Processes.....: 105 running - System uptime.: 274 days 14 hours 17 minutes 33 seconds =============================================================================== total used free shared buff/cache available Mem: 990 347 115 126 528 271 Swap: 1023 70 953 =============================================================================== Filesystem Type Size Used Avail Use% Mounted on devtmpfs devtmpfs 486M 0 486M 0% /dev tmpfs tmpfs 496M 0 496M 0% /dev/shm tmpfs tmpfs 496M 51M 446M 11% /run tmpfs tmpfs 496M 0 496M 0% /sys/fs/cgroup /dev/vda1 xfs 25G 12G 14G 46% / /dev/loop0 ext4 5.8G 25M 5.5G 1% /tmp tmpfs tmpfs 100M 0 100M 0% /run/user/0 tmpfs tmpfs 100M 0 100M 0% /run/user/993 =============================================================================== # ! This server maybe running CSF Firewall ! # DO NOT run the below command or you will lock yourself out of the server: # # iptables -F =============================================================================== * Getting Started Guide - https://centminmod.com/getstarted.html * Centmin Mod FAQ - https://centminmod.com/faq.html * Centmin Mod Config Files - https://centminmod.com/configfiles.html * Change Log - https://centminmod.com/changelog.html * Community Forums https://community.centminmod.com [ << Register ] =============================================================================== =============================================================================== Centmin Mod local code is up to date at /usr/local/src/centminmod no available updates at this time... ===============================================================================
What Happens When You Flush IPTables?
When you run iptables -F
command, you end up flushing and removing all IPTable rules configured by CSF Firewall. You can view all the configured IPTable rules via either of these two commands:
iptables -L -v -n
csf -l
When CSF Firewall and IPTables are properly running you’ll see something similar to the following IPTable rules listed:
ipatbles -L -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- !lo * 94.237.40.9 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- !lo * 94.237.40.9 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- !lo * 94.237.40.9 0.0.0.0/0 tcp spt:53 0 0 ACCEPT udp -- !lo * 94.237.40.9 0.0.0.0/0 udp spt:53 0 0 ACCEPT tcp -- !lo * 94.237.127.9 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- !lo * 94.237.127.9 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- !lo * 94.237.127.9 0.0.0.0/0 tcp spt:53 5 508 ACCEPT udp -- !lo * 94.237.127.9 0.0.0.0/0 udp spt:53 126 49300 LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 47 16513 INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 0 0 tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW recent: SET name: 21 side: source mask: 255.255.255.255 0 0 PORTFLOOD tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW recent: UPDATE seconds: 300 hit_count: 20 name: 21 side: source mask: 255.255.255.255 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5 0 0 LOGDROPIN icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 38 16136 ACCEPT all -- !lo * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 1 60 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 1 40 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:161 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1110 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1186 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1194 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:81 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9418 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:30001:50011 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:68 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1110 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:33434:33534 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:80 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:443 4 164 LOGDROPIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 94.237.40.9 tcp dpt:53 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 94.237.40.9 udp dpt:53 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 94.237.40.9 tcp spt:53 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 94.237.40.9 udp spt:53 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 94.237.127.9 tcp dpt:53 5 293 ACCEPT udp -- * !lo 0.0.0.0/0 94.237.127.9 udp dpt:53 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 94.237.127.9 tcp spt:53 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 94.237.127.9 udp spt:53 114 15489 LOCALOUTPUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp spt:53 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp spt:53 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 38 4583 INVALID tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 31 3390 ACCEPT all -- * !lo 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2525 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1110 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1194 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9418 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113 2 120 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:68 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1110 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:33434:33534 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:113 3 228 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 0 0 LOGDROPOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 Chain ALLOWDYNIN (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOWDYN src Chain ALLOWDYNOUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOWDYN dst Chain ALLOWIN (1 references) pkts bytes target prot opt in out source destination 82 32900 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOW src Chain ALLOWOUT (1 references) pkts bytes target prot opt in out source destination 78 11751 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOW dst Chain DENYIN (1 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_DENY src Chain DENYOUT (1 references) pkts bytes target prot opt in out source destination 0 0 LOGDROPOUT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_DENY dst Chain INVALID (2 references) pkts bytes target prot opt in out source destination 0 0 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW Chain INVDROP (10 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LOCALINPUT (1 references) pkts bytes target prot opt in out source destination 126 49300 ALLOWDYNIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 126 49300 ALLOWIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 44 16400 DENYIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 Chain LOCALOUTPUT (1 references) pkts bytes target prot opt in out source destination 114 15489 ALLOWDYNOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 114 15489 ALLOWOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 36 3738 DENYOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 3 228 UDPFLOOD udp -- * !lo 0.0.0.0/0 0.0.0.0/0 Chain LOGDROPIN (2 references) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:23 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:68 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:113 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520 4 164 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* " 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* " 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* " 4 164 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LOGDROPOUT (2 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* " 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* " 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* " 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain PORTFLOOD (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *Port Flood* " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain UDPFLOOD (1 references) pkts bytes target prot opt in out source destination 3 228 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0 0 0 RETURN udp -- * !lo 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 500 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDPFLOOD* " 0 0 REJECT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
And from csf -l
command output something similar when operation is normal.
csf -l iptables filter table ===================== Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- !lo * 94.237.40.9 0.0.0.0/0 tcp dpt:53 2 0 0 ACCEPT udp -- !lo * 94.237.40.9 0.0.0.0/0 udp dpt:53 3 0 0 ACCEPT tcp -- !lo * 94.237.40.9 0.0.0.0/0 tcp spt:53 4 0 0 ACCEPT udp -- !lo * 94.237.40.9 0.0.0.0/0 udp spt:53 5 0 0 ACCEPT tcp -- !lo * 94.237.127.9 0.0.0.0/0 tcp dpt:53 6 0 0 ACCEPT udp -- !lo * 94.237.127.9 0.0.0.0/0 udp dpt:53 7 0 0 ACCEPT tcp -- !lo * 94.237.127.9 0.0.0.0/0 tcp spt:53 8 5 508 ACCEPT udp -- !lo * 94.237.127.9 0.0.0.0/0 udp spt:53 9 95 47562 LOCALINPUT all -- !lo * 0.0.0.0/0 0.0.0.0/0 10 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 11 47 16566 INVALID tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 12 0 0 tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW recent: SET name: 21 side: source mask: 255.255.255.255 13 0 0 PORTFLOOD tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW recent: UPDATE seconds: 300 hit_count: 20 name: 21 side: source mask: 255.255.255.255 14 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5 15 0 0 LOGDROPIN icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8 16 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 17 40 16250 ACCEPT all -- !lo * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 18 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20 19 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 20 2 120 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 21 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 22 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 23 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 24 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 25 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143 26 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:161 27 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 28 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465 29 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587 30 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993 31 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995 32 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1110 33 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1186 34 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1194 35 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:81 36 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9418 37 0 0 ACCEPT tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:30001:50011 38 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67 39 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:68 40 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1110 41 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:33434:33534 42 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20 43 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21 44 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 45 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:80 46 0 0 ACCEPT udp -- !lo * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:443 47 6 272 LOGDROPIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 94.237.40.9 tcp dpt:53 2 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 94.237.40.9 udp dpt:53 3 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 94.237.40.9 tcp spt:53 4 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 94.237.40.9 udp spt:53 5 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 94.237.127.9 tcp dpt:53 6 5 293 ACCEPT udp -- * !lo 0.0.0.0/0 94.237.127.9 udp dpt:53 7 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 94.237.127.9 tcp spt:53 8 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 94.237.127.9 udp spt:53 9 91 11854 LOCALOUTPUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 10 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 11 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp dpt:53 12 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 tcp spt:53 13 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 udp spt:53 14 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 15 38 4591 INVALID tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 16 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 17 36 4471 ACCEPT all -- * !lo 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 18 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080 19 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2525 20 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465 21 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1110 22 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1194 23 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:9418 24 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:20 25 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 26 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 27 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 28 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 29 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 30 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 31 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:113 32 2 120 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 33 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:587 34 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993 35 0 0 ACCEPT tcp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995 36 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67 37 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:68 38 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1110 39 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:33434:33534 40 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:20 41 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:21 42 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 43 0 0 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:113 44 1 76 ACCEPT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123 45 0 0 LOGDROPOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 Chain ALLOWDYNIN (1 references) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOWDYN src Chain ALLOWDYNOUT (1 references) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOWDYN dst Chain ALLOWIN (1 references) num pkts bytes target prot opt in out source destination 1 47 30920 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOW src Chain ALLOWOUT (1 references) num pkts bytes target prot opt in out source destination 1 52 7187 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_ALLOW dst Chain DENYIN (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_DENY src Chain DENYOUT (1 references) num pkts bytes target prot opt in out source destination 1 0 0 LOGDROPOUT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set chain_DENY dst Chain INVALID (2 references) num pkts bytes target prot opt in out source destination 1 0 0 INVDROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 2 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00 3 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F 4 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03 5 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06 6 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05 7 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01 8 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08 9 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20 10 0 0 INVDROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW Chain INVDROP (10 references) num pkts bytes target prot opt in out source destination 1 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LOCALINPUT (1 references) num pkts bytes target prot opt in out source destination 1 95 47562 ALLOWDYNIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 2 95 47562 ALLOWIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 3 48 16642 DENYIN all -- !lo * 0.0.0.0/0 0.0.0.0/0 Chain LOCALOUTPUT (1 references) num pkts bytes target prot opt in out source destination 1 91 11854 ALLOWDYNOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 2 91 11854 ALLOWOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 3 39 4667 DENYOUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 4 1 76 UDPFLOOD udp -- * !lo 0.0.0.0/0 0.0.0.0/0 Chain LOGDROPIN (2 references) num pkts bytes target prot opt in out source destination 1 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 2 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:23 3 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 4 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 5 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:68 6 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 7 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 8 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:113 9 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:135:139 10 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:135:139 11 3 152 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 12 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 13 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:500 14 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 15 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 16 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:513 17 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:520 18 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:520 19 3 120 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* " 20 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* " 21 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* " 22 3 120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain LOGDROPOUT (2 references) num pkts bytes target prot opt in out source destination 1 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* " 2 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* " 3 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* " 4 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain PORTFLOOD (1 references) num pkts bytes target prot opt in out source destination 1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *Port Flood* " 2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain UDPFLOOD (1 references) num pkts bytes target prot opt in out source destination 1 1 76 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0 2 0 0 RETURN udp -- * !lo 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 500 3 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDPFLOOD* " 4 0 0 REJECT udp -- * !lo 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable iptables mangle table ===================== Chain PREROUTING (policy ACCEPT 100 packets, 48070 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 100 packets, 48070 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 96 packets, 12147 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 96 packets, 12147 bytes) num pkts bytes target prot opt in out source destination iptables raw table ================== Chain PREROUTING (policy ACCEPT 100 packets, 48070 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 96 packets, 12147 bytes) num pkts bytes target prot opt in out source destination iptables nat table ================== Chain PREROUTING (policy ACCEPT 9 packets, 444 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 3 packets, 172 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 10 packets, 629 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 10 packets, 629 bytes) num pkts bytes target prot opt in out source destination
However, after you run iptables -F
command and flush all IPTable rules, you will see all rules are empty
iptables -L -v - n Chain INPUT (policy DROP 12 packets, 732 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 8 packets, 608 bytes) pkts bytes target prot opt in out source destination Chain ALLOWDYNIN (0 references) pkts bytes target prot opt in out source destination Chain ALLOWDYNOUT (0 references) pkts bytes target prot opt in out source destination Chain ALLOWIN (0 references) pkts bytes target prot opt in out source destination Chain ALLOWOUT (0 references) pkts bytes target prot opt in out source destination Chain DENYIN (0 references) pkts bytes target prot opt in out source destination Chain DENYOUT (0 references) pkts bytes target prot opt in out source destination Chain INVALID (0 references) pkts bytes target prot opt in out source destination Chain INVDROP (0 references) pkts bytes target prot opt in out source destination Chain LOCALINPUT (0 references) pkts bytes target prot opt in out source destination Chain LOCALOUTPUT (0 references) pkts bytes target prot opt in out source destination Chain LOGDROPIN (0 references) pkts bytes target prot opt in out source destination Chain LOGDROPOUT (0 references) pkts bytes target prot opt in out source destination Chain PORTFLOOD (0 references) pkts bytes target prot opt in out source destination Chain UDPFLOOD (0 references) pkts bytes target prot opt in out source destination
And for csf -l
command after IPTables flushing
csf -l iptables filter table ===================== Chain INPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain ALLOWDYNIN (0 references) num pkts bytes target prot opt in out source destination Chain ALLOWDYNOUT (0 references) num pkts bytes target prot opt in out source destination Chain ALLOWIN (0 references) num pkts bytes target prot opt in out source destination Chain ALLOWOUT (0 references) num pkts bytes target prot opt in out source destination Chain DENYIN (0 references) num pkts bytes target prot opt in out source destination Chain DENYOUT (0 references) num pkts bytes target prot opt in out source destination Chain INVALID (0 references) num pkts bytes target prot opt in out source destination Chain INVDROP (0 references) num pkts bytes target prot opt in out source destination Chain LOCALINPUT (0 references) num pkts bytes target prot opt in out source destination Chain LOCALOUTPUT (0 references) num pkts bytes target prot opt in out source destination Chain LOGDROPIN (0 references) num pkts bytes target prot opt in out source destination Chain LOGDROPOUT (0 references) num pkts bytes target prot opt in out source destination Chain PORTFLOOD (0 references) num pkts bytes target prot opt in out source destination Chain UDPFLOOD (0 references) num pkts bytes target prot opt in out source destination iptables mangle table ===================== Chain PREROUTING (policy ACCEPT 166 packets, 52300 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 166 packets, 52300 bytes) num pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 136 packets, 15792 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 129 packets, 15228 bytes) num pkts bytes target prot opt in out source destination iptables raw table ================== Chain PREROUTING (policy ACCEPT 166 packets, 52300 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 136 packets, 15792 bytes) num pkts bytes target prot opt in out source destination iptables nat table ================== Chain PREROUTING (policy ACCEPT 25 packets, 1701 bytes) num pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 5 packets, 280 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 12 packets, 781 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 12 packets, 781 bytes) num pkts bytes target prot opt in out source destination
How To Regain Lost SSH Access After IPTables Flushing?
The solution can vary between web host providers setups and may not always work. Below I’ll outline a few examples specific to some Cloud VPS providers I frequently use.
- The simplest method to try is rebooting the server via a hard power cycle after accidentally running
iptables -F
command as CSF Firewall’s IPTables rules are configured and loaded up on CSF service startup usually. It’s why manually adding IPtables rules viaiptables
command won’t work on reboots as CSF Firewall ones will override them unless you place such rules in manually created/etc/csf/csfpre.sh
file with executable permissions which will allow those IPTables rules to persist and to load with CSF Firewall’s rules. - If server reboot or power cycle doesn’t work, then you may need to try starting up the server with CSF Firewall temporarily disabled and then once you regain SSH access, re-enable/restart CSF Firewall or by running CSF Firewall restart command
csf -ra
within the web provider’s out of band console. How you go about doing this will depend on your web host provider’s support for out of band/KVM/VNC console access, cloud-init and user data custom configuration at the initial server startup phase. Note, most provider’s console/KVM console access prompt for a server root user password and don’t support SSH Keys. So ensure your VPS isn’t configured for SSH Keys only and doesn’t disable password authentication for SSH logins. Also, console access usually doesn’t support copy and paste so you’d need to manually type in the root user password.
Out Of Band Console Access
What is Out Of Band console access? It’s generally a secondary way for direct and/or remote access to your server bypassing the primary network. Direct access would be like physically connecting a monitor and keyboard to your server while remote console access would similar to your accustomed SSH client access. If you have lost your SSH keys for SSH key authentication or accidentally lock or block your own access to a server via misconfigured firewall rules, you should be able to get SSH access again via an Out Of Band console.
Upcloud
It seems Upcloud server reboot won’t fix the issue of accidentally flushing IPTables as on server reboot as the IPTables rules seem to still be flushed/removed blocking SSH login access. Upcloud VPS provider has both out of band console access and also VNC console access which seems can fix the issue. You can log into your server using the console access with the root password that is automatically generated by Upcloud at server creation time. Then you have a few choices – either one seems to be able to fix the issue and allow you to regain SSH login access to your server.
- Temporarily disable CSF Firewall via the
csf -x
command and then try logging into your server via SSH and then re-enable CSF Firewall viacsf -e
command OR - Try restarting CSF Firewall service via
csf -ra
command which will re-populate IPTables with CSF Firewall’s configured IPTable rules and thus allow you to regain SSH login access again. - To prevent future lock outs, another way is to edit Centmin Mod’s configured /etc/rc.local file and add the
csf -ra
command to restart CSF Firewall service on start up. This will allow a server reboot to restart CSF Firewall service to re-populate your IPTable rules if you did accidentally runiptables -F
command and flushed all your IPTables rules.
DigitalOcean
DigitalOcean allows you to power cycle your droplet KVM server to restart it. This seems to allow you to regain lost SSH access when you run iptables -F
command as the power cycle forces CSF Firewall to restart and rebuild the IPTable rules again.
However, if a power cycle doesn’t work, DigitalOcean VPS provider has out of band console recovery access. You can log into your server using the console access which requires a root password to log into. If you only created DigitalOcean VPS server with SSH Key, you will need to use the DigitalOcean Access tab to reset your root password to create one first which will be sent to you via your DigitalOcean account registered email address. Resetting root password will automatically shutdown your droplet server and restart it with your updated root password.
Once droplet server is rebooted, first SSH login will prompt you to change the root user SSH password that was provided via email.
On recover console access window, you may not see the login root user prompt until you hit enter on the black blank screen. Login with root username and the root password either set via reset password feature or if SSH change password action.
Then you have 2 choices
- Within the console access, temporarily disable CSF Firewall via the
csf -x
command and then try logging into your server via SSH and then re-enable CSF Firewall viacsf -e
command OR - Within the console access, try restarting CSF Firewall service via
csf -ra
command which will re-populate IPTables with CSF Firewall’s configured IPTable rules and thus allow you to regain SSH login access again.
Vultr
Vultr server restart on Vultr dashboard top right corner does allow you to regain SSH access after running iptables -F
command.
However, if restarting the server doesn’t work, Vultr VPS provider has out of band console access on your Vultr server’s dashboard top right ‘View Console’ icon. You can log into your server using the console access with the root password provided.
Then you have 2 choices
- Within the console access, temporarily disable CSF Firewall via the
csf -x
command and then try logging into your server via SSH and then re-enable CSF Firewall viacsf -e
command OR - Within the console access, try restarting CSF Firewall service via
csf -ra
command which will re-populate IPTables with CSF Firewall’s configured IPTable rules and thus allow you to regain SSH login access again.
Linode
Linode server reboot on dashboard top right corner drop-down menu does not fix lost SSH access after running iptables -F
command. So you’ll need to use console access via Weblish.
Linode VPS provider has out of band console access in the form of Lish, Glish or Weblish link on the top right for Launch Console on Linode server dashboard. Documentation here.
You can log into your server using the console access. On Weblish console window, you may not see the login root user prompt until you hit enter on the black blank screen.
Then you have 2 choices
- Within the console access, temporarily disable CSF Firewall via the
csf -x
command and then try logging into your server via SSH and then re-enable CSF Firewall viacsf -e
command OR - Within the console access, try restarting CSF Firewall service via
csf -ra
command which will re-populate IPTables with CSF Firewall’s configured IPTable rules and thus allow you to regain SSH login access again.
Hetzner
Hetzner allows you to power cycle your server to restart it. This seems to allow you to regain lost SSH access when you run iptables -F
command as the power cycle forces CSF Firewall to restart and rebuild the IPTable rules again.
However, if that doesn’t work, Hetzner VPS provider has out of band console access. If you created Hetzner VPS server with an SSH key, a root user password isn’t created for you and root user password is needed to log in via console access. So ideally, you would have set up a root user password after your created server is online. Unfortunately, if you created SSH key with disabled password authentication, then you would not be able to log into the console with root user password.
You can log into your server using the console access via the icon on the top right of server dashboard.
Then you have 2 choices
- Within the console access, temporarily disable CSF Firewall via the
csf -x
command and then try logging into your server via SSH and then re-enable CSF Firewall viacsf -e
command OR - Within the console access, try restarting CSF Firewall service via
csf -ra
command which will re-populate IPTables with CSF Firewall’s configured IPTable rules and thus allow you to regain SSH login access again.
Amazon AWS EC2 Server
Amazon AWS EC2 allows cloud-init and user data instance modification support. So you can stop your EC2 instance and modify the user data and specify commands to run on an Amazon AWS EC2 instance’s startup routine as outlined here and using mime multi-part file. The command you want to specify is to restart CSF Firewall service csf -ra
.
To modify instance user data
- Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- In the navigation pane, choose Instances.
- Select the instance and choose Instance state, Stop instance. If this option is disabled, either the instance is already stopped or its root device is an instance store volume.
- When prompted for confirmation, choose Stop. It can take a few minutes for the instance to stop.
- With the instance still selected, choose Actions, Instance settings, Edit user data.
- Modify the user data as needed using below mime multi-part file lines, and then choose Save.
- Restart the instance.
Content-Type: multipart/mixed; boundary="//" MIME-Version: 1.0 --// Content-Type: text/cloud-config; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="cloud-config.txt" #cloud-config cloud_final_modules: - [scripts-user, always] --// Content-Type: text/x-shellscript; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="userdata.txt" #!/bin/bash csf -ra --//
You can then either power down EC2 instance again and edit and remove the mime multi-part code and power back up the server. Or you could leave that in place so every time you power cycle your EC2 instance, CSF Firewall is restarted.
Example edit instance User data page
If you use Amazon AWS EC2 spot instances, they can not be powered down as their state isn’t persistent. This means to regain lost SSH access, you need to use Amazon AWS Backup to backup your spot EC2 instance and then choose to restore that backup to a new EC2 instance and in Advanced settings section of Backup restore page, edit User data with the above mime multi-part file lines to restart CSF Firewall.
Once you regain SSH access to your Centmin Mod LEMP stack server, make sure CSF Firewall and Login Failure Daemon (lfd) services are enabled and running by using these commands below:
csf -e csf -ra service csf status service lfd status
If you haven’t yet installed Centmin Mod LEMP stack, check out the Centmin Mod LEMP stack advanced installation guide.