Simple IPTables Firewall with Whitelist and Blacklist
Create the whitelist & blacklist files
These can remain empty until needed.
mkdir /etc/myfirewall
touch /etc/myfirewall/whitelist.txt
touch /etc/myfirewall/blacklist.txt
Enter one IP or domain per line as needed to permit or deny. For example, to permit 1.1.1.1 and somedomain.com
nano /etc/myfirewall/whitelist.txt
1.1.1.1
somedomain.com
Note about DNS domains and iptables.
If your whitelist specifies a domain, it is the resolved IP address that is added to the ipables rule. So any change in the IP address of a domain in a whitelist or blacklist will require the firewall script to be re-run.
Create the firewall script
Located IPtables on your distribution and alter the IPTABLES=
line in the script accordingly.
which iptables which iptables-save
For non standard SSH port and to allow or deny other ports alter ALLOWED=
line accordingly
nano /etc/myfirewall/firewall.sh
#!/bin/bash # ## Simple IPTables Firewall with Whitelist & Blacklist # ## List Locations # WHITELIST=/etc/myfirewall/whitelist.txt BLACKLIST=/etc/myfirewall/blacklist.txt # ## Specify ports you wish to use. ## For port listing reference see http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers ## To add port range separate by ":" with no spaces. Ie. "10000:20000" # ALLOWED="22 25 53 80 443 465 587 993" # ## Specify where IP Tables is located # IPTABLES=/sbin/iptables IPTABLES_SAVE=/sbin/iptables-save # ## Save current iptables running configuration in case we want to revert back ## To restore using our example we would run "/sbin/iptables-restore < /usr/src/iptables.last" # $IPTABLES_SAVE > /usr/local/etc/iptables.last # ## Clear current rules # ## If current INPUT policy is set to DROP we will be locked out once we flush the rules ## so we must first ensure it is set to ACCEPT. # $IPTABLES -P INPUT ACCEPT echo 'Setting default INPUT policy to ACCEPT' $IPTABLES -F echo 'Clearing tables' $IPTABLES -X echo 'Deleting user defined chains' $IPTABLES -Z echo 'Zero chain counters' #Always allow localhost. echo 'Allowing Localhost' $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT # ##The following rule ensures that established connections are not checked. ##It also allows for things that may be related but not part of those connections such as ICMP. # $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # ## Whitelist # for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do echo "Permitting $x..." $IPTABLES -A INPUT -s $x -j ACCEPT done # ## Blacklist # for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do echo "Denying $x..." $IPTABLES -A INPUT -s $x -j DROP done # ## Permitted Ports # for port in $ALLOWED; do echo "Accepting port TCP $port..." $IPTABLES -A INPUT -p tcp --dport $port -j ACCEPT done for port in $ALLOWED; do echo "Accepting port UDP $port..." $IPTABLES -A INPUT -p udp --dport $port -j ACCEPT done # ## NOTE: Test this script first to make sure it works as expected. ## Run "iptables -vnL" to ensure the rules are as expected and that your SSH port is correct. ## ## When you are sure this script works properly uncomment the following 2 lines to enforce the rules. # # $IPTABLES -A INPUT -p udp -j DROP # $IPTABLES -A INPUT -p tcp --syn -j DROP # ## Save the rules so they are persistent on reboot. # /etc/init.d/iptables save
Make the script executable and run.
chmod +x /etc/myfirewall/firewall.sh
/etc/myfirewall/firewall.sh
Check rules.
iptables -vnL
Once you are sure the script is working properly with the proper SSH port allowed you can uncommend the two lines at the bottom of the script and run again to fully enable it.
#!/bin/bash yum install -y iptables-services systemctl start iptables && systemctl enable iptables iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -s 192.168.0.197,192.168.0.198,192.168.0.199,192.168.0.200,192.168.0.201,192.168.0.202,192.168.0.203,192.168.0.204,192.168.0.205 -j ACCEPT iptables -A INPUT -s 11.2.64.0/24 -j ACCEPT #堡垒机ip地址 iptables -A INPUT -s 172.19.0.0/16 -j ACCEPT # k8s svc网段 iptables -A INPUT -s 172.16.0.0/16 -j ACCEPT # k8s pod网段 iptables -A INPUT -s 127.0.0.0 -j ACCEPT iptables -A INPUT -s 172.17.0.1/16 -j ACCEPT iptables -A INPUT -j DROP #禁止除上面白名单列表外的ip机器访问本机 service iptables save