#Locad ipset before iptables update
Creating a Bash Script to Automatically Update IP Tables by Hostname Pkts bytes target prot opt in out source destinationĠ 0 ACCEPT tcp - * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 match-set ssh-allowed srcĪny IP address that is a member of the "ssh-allowed" IP Set is now permitted to connect to SSH on destination port 22. ~]$ sudo iptables -L -vnĬhain INPUT (policy ACCEPT 0 packets, 0 bytes) Now iptables is configured to check the "ssh-allowed" IP set for source IP addresses for incoming SSH connections. NOTE: You may want to add a comment to these rules for documentation. sudo iptables -I INPUT -p tcp -dport 22 -m set -match-set ssh-allowed src -j ACCEPT Now that we have our IP Set created, let's create a rule in iptables that tells it to allow SSH traffic from addresses inside this IP Set. ~]$ sudo ipset list ssh-allowedġ92.168.100.197 Using the IP Set to Create an iptables Rule Now if we list the "ssh-allowed" IP Set, we will see we have one member. You can manually add IP addresses to the set for testing. Header: family inet hashsize 1024 maxelem 65536 Then create a Bash script to add our clients IP address based of their Dynamic DNS name. In the next steps we will configure iptables to use this IP Set. This is expected since we have not yet added any IP addresses. We can now view this IP Set and see that is has no members. This will be used to store the IP addresses of systems allowed to SSH into our server. Here we are telling the ipset utility to create a set called "ssh-allowed" with the type of "hash:ip".
~]$ sudo ipset create ssh-allowed hash:ip The first step is to create your IP Set to hold the IP address of your client. Then we will create a simple bash script to update the set.įor this example, let's assume the client has the following dynamic DNS name setup: With just a few commands you can configure an IP Set. This may seem complicated, however, it is very simple. These sets can then be used inside of iptables rules.
#Locad ipset before iptables mac
IP Sets is a framework that allows you to create "sets" of IP addresses, MAC address, networks, port numbers and more. Let us know in the comments if you need help.
There are several methods to accomplish this. NOTE: Configuring the client of Dyamic DNS is outside the scope of this tutorial. The solution we worked out is to use Dynamic DNS to tie his IP address to a hostname, then use IP Sets and a simple Bash script to automatically update iptables. I could just open SSH to the world and allow him to connect, but that is not very secure. He has a cable internet connection that changes his pubic IP address at least once a month (sometimes once a week). This was my thought when I had a customer that needed SSH access to his server from his home.
What if you have a client that needs to connect to a service that does not have a static IP address? The client would need to monitor changes to their IP address, send you the new IP, and you would then have to manually update your iptables rules to allow them access. For example, you can open a port to a specific source IP address. However, all the rules are based on IP addresses. IPTables is a very powerful tool for creating a firewall on your Linux system.
0 kommentar(er)
