simple iptables bash script with whitelist ip file
In this article I have provided a simple bash script to generate IPTABLES with white list file ,where you define the list of IP address to be whitelisted and rest all other will be blocked. If you are looking for IPTABLES to block all request and allow only ssh and IP address which are white listed, then this article is for you.
Bash script to generate IPTABLES
iptables is a linux command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list
Steps to be followed
Step 1 : Creating whitelist filelogin to your linux ssh console using putty or direct server console, run the below command.
creating a folder name firewall and file whitelist.txt
Step 2 : Entering the list of allowed IP'smkdir /usr/src/firewall
touch /usr/src/firewall/whitelist.txt
Edit the whitelist.txt file and add the IP's to be allowed
vi /usr/src/firewall/whitelist.txt1.1.1.12.2.2.23.3.3.3
save and exit
Step 3 : Locate where the iptables pathwhich iptableswhich iptables-save
it will outputs as below
/sbin/iptables
/sbin/iptables-save
Create a new File named as firewall.sh and copy paste the below scirpt
replace the iptables path in that file.
vi /usr/src/firewall/firewall.sh
copy and paste the below script
#!/bin/bash
# allowed ip file location
WHITELIST=/usr/src/firewall/whitelist.txt
#
## Specify where IP Tables is located
#
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
#
## Save current iptables running configuration in case we want to revert back
## To restore using our example we would run "/sbin/iptables-restore < /usr/src/iptables.last"
#
$IPTABLES_SAVE > /usr/src/iptables.last
#
## Clear current rules
#
##If current INPUT policy is set to DROP we will be locked out once we flush the rules
## so we must first ensure it is set to ACCEPT.
#
$IPTABLES -P INPUT ACCEPT
echo 'Setting default INPUT policy to ACCEPT'
$IPTABLES -F
echo 'Clearing Tables F'
$IPTABLES -X
echo 'Clearing Tables X'
$IPTABLES -Z
echo 'Clearing Tables Z'
#Always allow localhost.
echo 'Allowing Localhost'
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#
## Whitelist
#
for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
echo "Permitting $x..."
$IPTABLES -A INPUT -s $x -j ACCEPT
done
# block all other traffice
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#
## Save the rules so they are persistent on reboot.
#
/sbin/iptables-save
note:
replace lines based on output in step 3
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
Below line will allow port 22 ssh to all ip's, if you dont what this disable that line.
run the below command to give read,write,executable permission to firewall.sh file
Step 6 : Running the scriptchmod +x /usr/src/firewall/firewall.sh
type the full path of the file as shown below .
Step 7 : check the iptables rules/usr/src/firewall/firewall.sh
Step 8: Persist the rules after reboot.iptables -L -n
After reboot the iptables rules might got flushed, to avoid that either add the firewall.sh file in start up script ,under /etc/rc.d/rc.local or run the file in cronjob to run on reboot
crontab -e@reboot /usr/src/firewall/firewall.sh
Conclusion:
Hope this article is helpful for protecting your server using the IPTABLES and white list file, note as per this bash script port 22 is open for public , if you want to block SSH too and comment the line or if you want port 22 to be open and block the attackers use my SSH Bruteforce protection script
For professional support reach me on skype or telegram id: striker24x7
shell script to generate iptables with whitelist ip's
I tried this bash script and it is working good but there is one thing still i was able to ping server ip from any external ip address, is there a way to block server ping for external ip addresses except the one in white ip list?