We help IT Professionals succeed at work.

Can IPTables use IPs from a file?

255 Views
Last Modified: 2014-11-22
I have an application which requires that I allow only certain IPs to gain access to a port.
I want to use iptables to allow/deny but need to use a php app to maintain an IP list.

Was wondering if I could maintain a list of IPs for this particular rule in a file which iptables could read and update itself IF the list has changed?
Comment
Watch Question

Dan CraciunIT Consultant
CERTIFIED EXPERT

Commented:
Iptables does not update itself.
You could edit the /etc/sysconfig/iptables file and then restart iptables. Not the recommend way, but should work.

HTH,
Dan

Author

Commented:
I know it doesn't update itself, guess I worded that wrong but one problem with this site is not being able to edit questions once someone has responded.

I think what I'm looking for is a script which would read a file of IPs and update iptables accordingly for a specific port, allowing those IPs only.

The script would also have to remove any of the previous IPs if the new list no longer contains it.

However, I don't want to fully restart iptables each time and would want to reload it without losing any current connections.
Senior Systems Administrator
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Duncan RoeSoftware Developer
CERTIFIED EXPERT

Commented:
As long as your PHP script only writes to the list when it needs to make a change, you could put together a solution using inotify and updates as jools suggested in http:#a40449490.
See man inotify_wait and man iptables

Author

Commented:
@Jools; The list of IPs is updated by a php app each time we run a certain function. When the function is run, a query is made to the database, looking for certain conditions such as a 1 meaning 'access allowed'. We grab the IP of that machine from the db and put it into this file I mentioned.

In as far as updating iptables, it will be a bash script so using inotify_wait in the script might work fine.

The script would need to do the following.

-keep checking the file to see if anything has changed
-if nothing has changed, do nothing
-if file has changed, then process the file

-if a new IP was added, then add this into iptables
-if an IP was removed, then remove that IP from iptables

All of this would be for one rule, which would be to allow all IPs in the list to access a certain port.
For sake of argument, use any port, say 4000 for example.

So all of the IPs being added into iptables would be allowed to access port 4000.
Once the IP was removed, that IP could no longer access port 4000 nor could anything else unless it was in the IP list for that port.
Julian ParkerSenior Systems Administrator
CERTIFIED EXPERT

Commented:
Can you post examples of the files/output and perhaps your existing rules, feel free to sanitise the output/changes address ranges if you need to. It would be helpful to work with meaningful data.

Author

Commented:
I don't have any examples but it would be a simple list of IPs

1.2.3.4
2.3.4.5
3.4.5.6
4.5.6.7

I would want these added (and removed if they are no longer in the list) with this rule

-A INPUT -s 3.4.5.6/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT

Or something along those lines. Not sure that rule actually stops anyone.
Duncan RoeSoftware Developer
CERTIFIED EXPERT

Commented:
You only need to check the file after receiving a close_write from inotify_wait
-A (append) is fine for adding IPs but removing them needs more work. You can only remove entries by entry number (no contextual option). You would get the entry number from e.g. iptables -t filter -n -v --line-numbers -L INPUT

Author

Commented:
If I can't remove IPs, can I remove the entire section and rewrite it with the updated IP list?
Duncan RoeSoftware Developer
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.