Solved

Can IPTables use IPs from a file?

Posted on 2014-11-16
11
172 Views
Last Modified: 2014-11-22
I have an application which requires that I allow only certain IPs to gain access to a port.
I want to use iptables to allow/deny but need to use a php app to maintain an IP list.

Was wondering if I could maintain a list of IPs for this particular rule in a file which iptables could read and update itself IF the list has changed?
0
Comment
Question by:projects
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 40446166
Iptables does not update itself.
You could edit the /etc/sysconfig/iptables file and then restart iptables. Not the recommend way, but should work.

HTH,
Dan
0
 

Author Comment

by:projects
ID: 40448533
I know it doesn't update itself, guess I worded that wrong but one problem with this site is not being able to edit questions once someone has responded.

I think what I'm looking for is a script which would read a file of IPs and update iptables accordingly for a specific port, allowing those IPs only.

The script would also have to remove any of the previous IPs if the new list no longer contains it.

However, I don't want to fully restart iptables each time and would want to reload it without losing any current connections.
0
 
LVL 19

Accepted Solution

by:
jools earned 250 total points
ID: 40449490
You are able to insert rules into iptables on the fly and also remove them without restarting. (iptables -t [table] -A will append a rule to the specified table)

If you can give us some examples of what exactly you need it to do it might be possible to come up with something.

You mentioned a php script and a list of IP's, can you elaborate further, what generates the list of IP's etc?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 34

Expert Comment

by:Duncan Roe
ID: 40450865
As long as your PHP script only writes to the list when it needs to make a change, you could put together a solution using inotify and updates as jools suggested in http:#a40449490.
See man inotify_wait and man iptables
0
 

Author Comment

by:projects
ID: 40450955
@Jools; The list of IPs is updated by a php app each time we run a certain function. When the function is run, a query is made to the database, looking for certain conditions such as a 1 meaning 'access allowed'. We grab the IP of that machine from the db and put it into this file I mentioned.

In as far as updating iptables, it will be a bash script so using inotify_wait in the script might work fine.

The script would need to do the following.

-keep checking the file to see if anything has changed
-if nothing has changed, do nothing
-if file has changed, then process the file

-if a new IP was added, then add this into iptables
-if an IP was removed, then remove that IP from iptables

All of this would be for one rule, which would be to allow all IPs in the list to access a certain port.
For sake of argument, use any port, say 4000 for example.

So all of the IPs being added into iptables would be allowed to access port 4000.
Once the IP was removed, that IP could no longer access port 4000 nor could anything else unless it was in the IP list for that port.
0
 
LVL 19

Expert Comment

by:jools
ID: 40451293
Can you post examples of the files/output and perhaps your existing rules, feel free to sanitise the output/changes address ranges if you need to. It would be helpful to work with meaningful data.
0
 

Author Comment

by:projects
ID: 40451302
I don't have any examples but it would be a simple list of IPs

1.2.3.4
2.3.4.5
3.4.5.6
4.5.6.7

I would want these added (and removed if they are no longer in the list) with this rule

-A INPUT -s 3.4.5.6/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT

Or something along those lines. Not sure that rule actually stops anyone.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 40451990
You only need to check the file after receiving a close_write from inotify_wait
-A (append) is fine for adding IPs but removing them needs more work. You can only remove entries by entry number (no contextual option). You would get the entry number from e.g. iptables -t filter -n -v --line-numbers -L INPUT
0
 

Author Comment

by:projects
ID: 40452478
If I can't remove IPs, can I remove the entire section and rewrite it with the updated IP list?
0
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 250 total points
ID: 40454581
You can remove IPs. grep the IP to be removed from the -L command I posted. The rule number comes first, awk it out. Now delete that rule. I can't test this, but it'll be something like
#!/bin/sh
iptables -t filter -D INPUT $(iptables -t filter -n -v --line-numbers -L INPUT|grep $1|awk '{print $1}')

Open in new window


The above shell script should delete a single IP from your rules. If you want it to take multiple arguments, use a while loop and shift. I'll leave that for you as an exercise
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question