Simple linux bash script to generate iptables with whitelist ip's from file and block all other
Topic:simple iptables bash script with whitelist ip fileOverview: Iptables with ip whitelist file
iptables is a linux command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list
Steps to be followed
Step 1 : Creating whitelist file
login to your linux ssh console using putty or direct server console, run the below command.
creating a folder name firewall and file whitelist.txt
mkdir /usr/src/firewall
touch /usr/src/firewall/whitelist.txt
Step 2 : Entering the list of allowed ip's
Edit the whitelist.txt file and add the ip's to be allowed
vi /usr/src/firewall/whitelist.txt1.1.1.12.2.2.23.3.3.3
save and exit
Step 3 : Locate where the iptables path
which iptableswhich iptables-save
it will outputs as below
/sbin/iptables
/sbin/iptables-save
Step 4 : Iptables Bash script
Create a new File named as firewall.sh and copy paste the below scirpt
replace the iptables path in that file.
vi /usr/src/firewall/firewall.sh
copy and paste the below script
#!/bin/bash
# allowed ip file location
WHITELIST=/usr/src/firewall/whitelist.txt
#
## Specify where IP Tables is located
#
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
#
## Save current iptables running configuration in case we want to revert back
## To restore using our example we would run "/sbin/iptables-restore < /usr/src/iptables.last"
#
$IPTABLES_SAVE > /usr/src/iptables.last
#
## Clear current rules
#
##If current INPUT policy is set to DROP we will be locked out once we flush the rules
## so we must first ensure it is set to ACCEPT.
#
$IPTABLES -P INPUT ACCEPT
echo 'Setting default INPUT policy to ACCEPT'
$IPTABLES -F
echo 'Clearing Tables F'
$IPTABLES -X
echo 'Clearing Tables X'
$IPTABLES -Z
echo 'Clearing Tables Z'
#Always allow localhost.
echo 'Allowing Localhost'
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#
## Whitelist
#
for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
echo "Permitting $x..."
$IPTABLES -A INPUT -s $x -j ACCEPT
done
# block all other traffice
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#
## Save the rules so they are persistent on reboot.
#
/sbin/iptables-save
note:
replace lines based on output in step 3
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
Below line will allow port 22 ssh to all ip's, if you dont what this disable that line.
Step 5 : Make firewall.sh file as read write and executable
run the below command to give read,write,executable permission to firewall.sh file
chmod +x /usr/src/firewall/firewall.sh
Step 6 : Running the script
type the full path of the file as shown below .
/usr/src/firewall/firewall.sh
Step 7 : check the iptables rules
iptables -L -n
Step 8: Persist the rules after reboot.
After reboot the iptables rules might got flushed, to avoid that either add the firewall.sh file in start up script ,under /etc/rc.d/rc.local or run the file in cronjob to run on reboot
crontab -e@reboot /usr/src/firewall/firewall.sh
Also see:
Script to block ssh attack automatically ClickHere
For support contact skype :striker24x7