I've root ssh access and need to add / delete a few IP address on fly using the IPtables command via local shell script. How do I add or delete an IP address remotely over the SSH session under CentOS / Redhat / RHEL / Debian / Ubuntu Linux?
SSH client is a program for logging into a remote machine and for executing commands on a remote machine.
Iptables command is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. You can add or delete matching rules using the Iptables command itself. You can easily add or remove iptables rules using the ssh client
Syntax: Add an IP Address
ssh user@box.example.com /sbin/iptables -I INPUT -i eth0 -s 1.2.3.4 -j ACCEPT ssh user@box.example.com /sbin/iptables -I INPUT -i eth0 -s 1.2.3.4 -d 202.54.1.2 -j ACCEPT ssh user@box.example.com /sbin/iptables -I INPUT -i eth0 -s 1.2.3.4 -d 202.54.1.2 -p tcp --destination-port 443 -j ACCEPT
Syntax: Delete an IP Address
ssh user@box.example.com /sbin/iptables -D INPUT -i eth0 -s 1.2.3.4 -j ACCEPT ssh user@box.example.com /sbin/iptables -D INPUT -i eth0 -s 1.2.3.4 -d 202.54.1.2 -j ACCEPT ssh user@box.example.com /sbin/iptables -D INPUT -i eth0 -s 1.2.3.4 -d 202.54.1.2 -p tcp --destination-port 443 -j ACCEPT
Where,
- -I INPUT - Insert an IP address to INPUT table.
- -i eth0 : Interface name.
- -s 1.2.3.4: Allow 1.2.3.4 ip address to access the server.
- -d 202.54.1.2 : Server IP address.
- -p tcp --destination-port 443 : Allow only TCP port 443.
- -j ACCEPT - Action is set to allow connection from 1.2.3.4 client IP to server IP 202.54.1.2.
A Sample Shell Script
#!/bin/bash # A sample shell script to add or delete an IP over remove ssh session in bulk or a single IP at a time # Written by Vivek Gite, under GPL # Usage: # ./script.sh open "1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com" # ./script.sh close "1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com" # ------------------------------------------------------------------------- # note cut can be replaced with internal tring manipulation but, I prefer to use cut # Purpose: add an IP over ssh remoteipadd(){ local client=$(cut -d':' -f1<<<"$1") local port=$(cut -d':' -f2<<<"$1") local wallif=$(cut -d':' -f3<<<"$1") local ip=$(cut -d':' -f4<<<"$1") local vuser=$(cut -d':' -f5<<<"$1") local vserver=$(cut -d':' -f6<<<"$1") cmd="ssh ${vuser}@${vserver} /sbin/iptables -I INPUT -i ${wallif} -s ${client} -d ${ip} -p tcp --destination-port ${port} -j ACCEPT" #echo "$cmd" $cmd } # Purpose: Delete an IP over ssh remoteipdelete(){ local client=$(cut -d':' -f1<<<"$1") local port=$(cut -d':' -f2<<<"$1") local wallif=$(cut -d':' -f3<<<"$1") local ip=$(cut -d':' -f4<<<"$1") local vuser=$(cut -d':' -f5<<<"$1") local vserver=$(cut -d':' -f6<<<"$1") cmd="ssh ${vuser}@${vserver} /sbin/iptables -D INPUT -i ${wallif} -s ${client} -d ${ip} -p tcp --destination-port ${port} -j ACCEPT" #echo "$cmd" $cmd } usage(){ echo "Usage: $0 {open|close} \"clientIP:serverPort:SeverInterface:serverIP:sshUser:sshServer\"" echo echo -e "\t$0 open \"1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com\"" echo -e "\t$0 close \"1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com\"" echo exit 1 } line="$2" [ $# -ne 2 ] && usage case $1 in open) remoteipadd "$line";; close) remoteipdelete "$line";; *) usage esac
You can create a text file call the script. A sample data.txt:
1.2.3.4:443:eth0:202.54.11.5:root:vpn.example.com 1.2.3.5:443:eth0:202.54.3.5:root:mysql.example.com 1.2.3.65:22:eth1:202.54.2.5:root:www08.example.com 22.12.33.5:80:eth1:202.54.12.5:root:www04.example.com
Run it as follows:
while IFS= read -r line; do echo /path/to/script open "$line"; done <"/path/to/data.txt"
OR
while IFS= read -r line; do echo /path/to/script close "$line"; done <"/path/to/data.txt"
See also:
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 3 comments… read them below or add one }
This *won’t* work, of course, for PORT 22 rules stopping you from connecting to a box….
It all depends upon your setup. For example, most of our boxes have two interface:
* eth0 – VPN connected and ssh is always open on eth0
* eth1 – Public interface.
So you can run ssh over vpn connected and open IP for eth1.
Then you would not have;
“PORT 22 rules stopping you from connecting to a box”
Would you! Derrrrrr