?
Solved

Can IPTables use IPs from a file?

Posted on 2014-11-16
11
Medium Priority
?
174 Views
Last Modified: 2014-11-22
I have an application which requires that I allow only certain IPs to gain access to a port.
I want to use iptables to allow/deny but need to use a php app to maintain an IP list.

Was wondering if I could maintain a list of IPs for this particular rule in a file which iptables could read and update itself IF the list has changed?
0
Comment
Question by:projects
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 40446166
Iptables does not update itself.
You could edit the /etc/sysconfig/iptables file and then restart iptables. Not the recommend way, but should work.

HTH,
Dan
0
 

Author Comment

by:projects
ID: 40448533
I know it doesn't update itself, guess I worded that wrong but one problem with this site is not being able to edit questions once someone has responded.

I think what I'm looking for is a script which would read a file of IPs and update iptables accordingly for a specific port, allowing those IPs only.

The script would also have to remove any of the previous IPs if the new list no longer contains it.

However, I don't want to fully restart iptables each time and would want to reload it without losing any current connections.
0
 
LVL 19

Accepted Solution

by:
jools earned 1000 total points
ID: 40449490
You are able to insert rules into iptables on the fly and also remove them without restarting. (iptables -t [table] -A will append a rule to the specified table)

If you can give us some examples of what exactly you need it to do it might be possible to come up with something.

You mentioned a php script and a list of IP's, can you elaborate further, what generates the list of IP's etc?
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 35

Expert Comment

by:Duncan Roe
ID: 40450865
As long as your PHP script only writes to the list when it needs to make a change, you could put together a solution using inotify and updates as jools suggested in http:#a40449490.
See man inotify_wait and man iptables
0
 

Author Comment

by:projects
ID: 40450955
@Jools; The list of IPs is updated by a php app each time we run a certain function. When the function is run, a query is made to the database, looking for certain conditions such as a 1 meaning 'access allowed'. We grab the IP of that machine from the db and put it into this file I mentioned.

In as far as updating iptables, it will be a bash script so using inotify_wait in the script might work fine.

The script would need to do the following.

-keep checking the file to see if anything has changed
-if nothing has changed, do nothing
-if file has changed, then process the file

-if a new IP was added, then add this into iptables
-if an IP was removed, then remove that IP from iptables

All of this would be for one rule, which would be to allow all IPs in the list to access a certain port.
For sake of argument, use any port, say 4000 for example.

So all of the IPs being added into iptables would be allowed to access port 4000.
Once the IP was removed, that IP could no longer access port 4000 nor could anything else unless it was in the IP list for that port.
0
 
LVL 19

Expert Comment

by:jools
ID: 40451293
Can you post examples of the files/output and perhaps your existing rules, feel free to sanitise the output/changes address ranges if you need to. It would be helpful to work with meaningful data.
0
 

Author Comment

by:projects
ID: 40451302
I don't have any examples but it would be a simple list of IPs

1.2.3.4
2.3.4.5
3.4.5.6
4.5.6.7

I would want these added (and removed if they are no longer in the list) with this rule

-A INPUT -s 3.4.5.6/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT

Or something along those lines. Not sure that rule actually stops anyone.
0
 
LVL 35

Expert Comment

by:Duncan Roe
ID: 40451990
You only need to check the file after receiving a close_write from inotify_wait
-A (append) is fine for adding IPs but removing them needs more work. You can only remove entries by entry number (no contextual option). You would get the entry number from e.g. iptables -t filter -n -v --line-numbers -L INPUT
0
 

Author Comment

by:projects
ID: 40452478
If I can't remove IPs, can I remove the entire section and rewrite it with the updated IP list?
0
 
LVL 35

Assisted Solution

by:Duncan Roe
Duncan Roe earned 1000 total points
ID: 40454581
You can remove IPs. grep the IP to be removed from the -L command I posted. The rule number comes first, awk it out. Now delete that rule. I can't test this, but it'll be something like
#!/bin/sh
iptables -t filter -D INPUT $(iptables -t filter -n -v --line-numbers -L INPUT|grep $1|awk '{print $1}')

Open in new window


The above shell script should delete a single IP from your rules. If you want it to take multiple arguments, use a while loop and shift. I'll leave that for you as an exercise
0

Featured Post

Create CentOS 7 Newton Packstack Running Keystone

A bug was filed against RDO for the installation of Keystone v3. This guide is designed to walk you through the configuration for using Keystone v3 with Packstack. You will accomplish this using various repos and the Answers file.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question