Solved

Can IPTables use IPs from a file?

Posted on 2014-11-16
11
166 Views
Last Modified: 2014-11-22
I have an application which requires that I allow only certain IPs to gain access to a port.
I want to use iptables to allow/deny but need to use a php app to maintain an IP list.

Was wondering if I could maintain a list of IPs for this particular rule in a file which iptables could read and update itself IF the list has changed?
0
Comment
Question by:projects
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40446166
Iptables does not update itself.
You could edit the /etc/sysconfig/iptables file and then restart iptables. Not the recommend way, but should work.

HTH,
Dan
0
 

Author Comment

by:projects
ID: 40448533
I know it doesn't update itself, guess I worded that wrong but one problem with this site is not being able to edit questions once someone has responded.

I think what I'm looking for is a script which would read a file of IPs and update iptables accordingly for a specific port, allowing those IPs only.

The script would also have to remove any of the previous IPs if the new list no longer contains it.

However, I don't want to fully restart iptables each time and would want to reload it without losing any current connections.
0
 
LVL 19

Accepted Solution

by:
jools earned 250 total points
ID: 40449490
You are able to insert rules into iptables on the fly and also remove them without restarting. (iptables -t [table] -A will append a rule to the specified table)

If you can give us some examples of what exactly you need it to do it might be possible to come up with something.

You mentioned a php script and a list of IP's, can you elaborate further, what generates the list of IP's etc?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 34

Expert Comment

by:Duncan Roe
ID: 40450865
As long as your PHP script only writes to the list when it needs to make a change, you could put together a solution using inotify and updates as jools suggested in http:#a40449490.
See man inotify_wait and man iptables
0
 

Author Comment

by:projects
ID: 40450955
@Jools; The list of IPs is updated by a php app each time we run a certain function. When the function is run, a query is made to the database, looking for certain conditions such as a 1 meaning 'access allowed'. We grab the IP of that machine from the db and put it into this file I mentioned.

In as far as updating iptables, it will be a bash script so using inotify_wait in the script might work fine.

The script would need to do the following.

-keep checking the file to see if anything has changed
-if nothing has changed, do nothing
-if file has changed, then process the file

-if a new IP was added, then add this into iptables
-if an IP was removed, then remove that IP from iptables

All of this would be for one rule, which would be to allow all IPs in the list to access a certain port.
For sake of argument, use any port, say 4000 for example.

So all of the IPs being added into iptables would be allowed to access port 4000.
Once the IP was removed, that IP could no longer access port 4000 nor could anything else unless it was in the IP list for that port.
0
 
LVL 19

Expert Comment

by:jools
ID: 40451293
Can you post examples of the files/output and perhaps your existing rules, feel free to sanitise the output/changes address ranges if you need to. It would be helpful to work with meaningful data.
0
 

Author Comment

by:projects
ID: 40451302
I don't have any examples but it would be a simple list of IPs

1.2.3.4
2.3.4.5
3.4.5.6
4.5.6.7

I would want these added (and removed if they are no longer in the list) with this rule

-A INPUT -s 3.4.5.6/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT

Or something along those lines. Not sure that rule actually stops anyone.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 40451990
You only need to check the file after receiving a close_write from inotify_wait
-A (append) is fine for adding IPs but removing them needs more work. You can only remove entries by entry number (no contextual option). You would get the entry number from e.g. iptables -t filter -n -v --line-numbers -L INPUT
0
 

Author Comment

by:projects
ID: 40452478
If I can't remove IPs, can I remove the entire section and rewrite it with the updated IP list?
0
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 250 total points
ID: 40454581
You can remove IPs. grep the IP to be removed from the -L command I posted. The rule number comes first, awk it out. Now delete that rule. I can't test this, but it'll be something like
#!/bin/sh
iptables -t filter -D INPUT $(iptables -t filter -n -v --line-numbers -L INPUT|grep $1|awk '{print $1}')

Open in new window


The above shell script should delete a single IP from your rules. If you want it to take multiple arguments, use a while loop and shift. I'll leave that for you as an exercise
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SIP Trunk provider 20 132
Firewall attack 16 185
What is native VPN for RedHad Enterprise Linux and CentOS? 6 161
Weird Samba Connectivity Issue... 7 51
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question