simple iptables bash script with whitelist ip file

    In this article I have provided a simple bash script to generate IPTABLES with white list file ,where you define the list of IP address to be whitelisted and rest all other will be blocked. If you are looking for IPTABLES to block all request and allow only ssh and IP address which are white listed, then this article is for you.    

simple iptables via bash script with whitelist file
iptables bash script whitelist ip list


Bash script to generate IPTABLES

    In this blog article i have provided a simple bash script to generate iptables which block all the request and allow only the IP's which are added in a particular file named as whitelist.txt.

    iptables is a linux command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list

Steps to be followed

Step 1 : Creating whitelist file

    login to your linux ssh console using putty or direct server console, run the below command.

creating a folder name firewall and file whitelist.txt

mkdir /usr/src/firewall
touch /usr/src/firewall/whitelist.txt

Step 2 : Entering the list of allowed IP's

Edit the whitelist.txt file and add the IP's to be allowed 

vi /usr/src/firewall/whitelist.txt
1.1.1.1
2.2.2.2
3.3.3.3

save and exit

Step 3 : Locate where the iptables path

type the below command
which iptables
which iptables-save

it will outputs as below

/sbin/iptables
/sbin/iptables-save

Copy the output ,we have replace in bash script in next steps

Step 4 : Iptables Bash script

Create a new File named as firewall.sh and copy paste the below scirpt

replace the iptables path in that file.

vi /usr/src/firewall/firewall.sh

copy and paste the below script

#!/bin/bash
# allowed ip file location
WHITELIST=/usr/src/firewall/whitelist.txt
#
## Specify where IP Tables is located
#
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save
#
## Save current iptables running configuration in case we want to revert back
##  To restore using our example we would run "/sbin/iptables-restore < /usr/src/iptables.last"
#
$IPTABLES_SAVE > /usr/src/iptables.last
#
## Clear current rules
#
##If current INPUT policy is set to DROP we will be locked out once we flush the rules
## so we must first ensure it is set to ACCEPT.
#
$IPTABLES -P INPUT ACCEPT
echo 'Setting default INPUT policy to ACCEPT'
$IPTABLES -F
echo 'Clearing Tables F'
$IPTABLES -X
echo 'Clearing Tables X'
$IPTABLES -Z
echo 'Clearing Tables Z'
#Always allow localhost.
echo 'Allowing Localhost'
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#
## Whitelist
#
for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
echo "Permitting $x..."
$IPTABLES -A INPUT -s $x -j ACCEPT
done
# block all other traffice
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
#
## Save the rules so they are persistent on reboot.
#
/sbin/iptables-save

note:
replace lines based on output in step 3
IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save

Below line will allow port 22 ssh to all ip's, if you dont what this disable that line.

$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

Step 5 : Make firewall.sh file as read write and executable

run the below command to give read,write,executable permission to firewall.sh file

chmod +x /usr/src/firewall/firewall.sh
Step 6 : Running the script

type the full path of the file as shown below .

/usr/src/firewall/firewall.sh

Step 7 : check the iptables rules

Run the below iptables command to check the iptables rules
iptables -L -n 
Step 8: Persist the rules after reboot.

After reboot the iptables rules might got flushed, to avoid that either add the firewall.sh file in start up script ,under /etc/rc.d/rc.local  or run the file in cronjob to run on reboot

crontab -e
@reboot /usr/src/firewall/firewall.sh

Conclusion:

    Hope this article is helpful for protecting your server using the IPTABLES and white list  file, note as per this bash script port 22 is open for public , if you want to block SSH too and comment the line or if you want port 22 to be open and block the attackers use my SSH Bruteforce protection script 

For professional support reach me on skype or telegram id: striker24x7

Next Post Previous Post
2 Comments
  • gopi baskar
    gopi baskar April 4, 2022 at 11:22 AM

    shell script to generate iptables with whitelist ip's

    • Anonymous
      Anonymous September 28, 2022 at 8:51 PM

      I tried this bash script and it is working good but there is one thing still i was able to ping server ip from any external ip address, is there a way to block server ping for external ip addresses except the one in white ip list?

Add Comment
comment url