Solved

Can IPTables use IPs from a file?

Posted on 2014-11-16
11
165 Views
Last Modified: 2014-11-22
I have an application which requires that I allow only certain IPs to gain access to a port.
I want to use iptables to allow/deny but need to use a php app to maintain an IP list.

Was wondering if I could maintain a list of IPs for this particular rule in a file which iptables could read and update itself IF the list has changed?
0
Comment
Question by:projects
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 40446166
Iptables does not update itself.
You could edit the /etc/sysconfig/iptables file and then restart iptables. Not the recommend way, but should work.

HTH,
Dan
0
 

Author Comment

by:projects
ID: 40448533
I know it doesn't update itself, guess I worded that wrong but one problem with this site is not being able to edit questions once someone has responded.

I think what I'm looking for is a script which would read a file of IPs and update iptables accordingly for a specific port, allowing those IPs only.

The script would also have to remove any of the previous IPs if the new list no longer contains it.

However, I don't want to fully restart iptables each time and would want to reload it without losing any current connections.
0
 
LVL 19

Accepted Solution

by:
jools earned 250 total points
ID: 40449490
You are able to insert rules into iptables on the fly and also remove them without restarting. (iptables -t [table] -A will append a rule to the specified table)

If you can give us some examples of what exactly you need it to do it might be possible to come up with something.

You mentioned a php script and a list of IP's, can you elaborate further, what generates the list of IP's etc?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 34

Expert Comment

by:Duncan Roe
ID: 40450865
As long as your PHP script only writes to the list when it needs to make a change, you could put together a solution using inotify and updates as jools suggested in http:#a40449490.
See man inotify_wait and man iptables
0
 

Author Comment

by:projects
ID: 40450955
@Jools; The list of IPs is updated by a php app each time we run a certain function. When the function is run, a query is made to the database, looking for certain conditions such as a 1 meaning 'access allowed'. We grab the IP of that machine from the db and put it into this file I mentioned.

In as far as updating iptables, it will be a bash script so using inotify_wait in the script might work fine.

The script would need to do the following.

-keep checking the file to see if anything has changed
-if nothing has changed, do nothing
-if file has changed, then process the file

-if a new IP was added, then add this into iptables
-if an IP was removed, then remove that IP from iptables

All of this would be for one rule, which would be to allow all IPs in the list to access a certain port.
For sake of argument, use any port, say 4000 for example.

So all of the IPs being added into iptables would be allowed to access port 4000.
Once the IP was removed, that IP could no longer access port 4000 nor could anything else unless it was in the IP list for that port.
0
 
LVL 19

Expert Comment

by:jools
ID: 40451293
Can you post examples of the files/output and perhaps your existing rules, feel free to sanitise the output/changes address ranges if you need to. It would be helpful to work with meaningful data.
0
 

Author Comment

by:projects
ID: 40451302
I don't have any examples but it would be a simple list of IPs

1.2.3.4
2.3.4.5
3.4.5.6
4.5.6.7

I would want these added (and removed if they are no longer in the list) with this rule

-A INPUT -s 3.4.5.6/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT

Or something along those lines. Not sure that rule actually stops anyone.
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 40451990
You only need to check the file after receiving a close_write from inotify_wait
-A (append) is fine for adding IPs but removing them needs more work. You can only remove entries by entry number (no contextual option). You would get the entry number from e.g. iptables -t filter -n -v --line-numbers -L INPUT
0
 

Author Comment

by:projects
ID: 40452478
If I can't remove IPs, can I remove the entire section and rewrite it with the updated IP list?
0
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 250 total points
ID: 40454581
You can remove IPs. grep the IP to be removed from the -L command I posted. The rule number comes first, awk it out. Now delete that rule. I can't test this, but it'll be something like
#!/bin/sh
iptables -t filter -D INPUT $(iptables -t filter -n -v --line-numbers -L INPUT|grep $1|awk '{print $1}')

Open in new window


The above shell script should delete a single IP from your rules. If you want it to take multiple arguments, use a while loop and shift. I'll leave that for you as an exercise
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question