Linux Iptables: Add / Delete An IP Address Remotely Using A Shell Script

by on October 22, 2009 · 4 comments· LAST UPDATED October 22, 2009

in , ,

I've root ssh access and need to add / delete a few IP address on fly using the IPtables command via local shell script. How do I add or delete an IP address remotely over the SSH session under CentOS / Redhat / RHEL / Debian / Ubuntu Linux?

SSH client is a program for logging into a remote machine and for executing commands on a remote machine.

Iptables command is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. You can add or delete matching rules using the Iptables command itself. You can easily add or remove iptables rules using the ssh client

Syntax: Add an IP Address

ssh user@box.example.com /sbin/iptables -I INPUT -i  eth0 -s 1.2.3.4 -j ACCEPT
ssh user@box.example.com /sbin/iptables -I INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2  -j ACCEPT
ssh user@box.example.com /sbin/iptables -I INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2 -p tcp --destination-port 443 -j ACCEPT

Syntax: Delete an IP Address

ssh user@box.example.com /sbin/iptables -D INPUT -i  eth0 -s 1.2.3.4 -j ACCEPT
ssh user@box.example.com /sbin/iptables -D INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2  -j ACCEPT
ssh user@box.example.com /sbin/iptables -D INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2 -p tcp --destination-port 443 -j ACCEPT

Where,

  • -I INPUT - Insert an IP address to INPUT table.
  • -i eth0 : Interface name.
  • -s 1.2.3.4: Allow 1.2.3.4 ip address to access the server.
  • -d 202.54.1.2 : Server IP address.
  • -p tcp --destination-port 443 : Allow only TCP port 443.
  • -j ACCEPT - Action is set to allow connection from 1.2.3.4 client IP to server IP 202.54.1.2.

A Sample Shell Script

#!/bin/bash 
# A sample shell script to add or delete an IP over remove ssh session in bulk or a single IP at a time
# Written by Vivek Gite, under GPL
# Usage:
# ./script.sh open  "1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com"
# ./script.sh close  "1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com"
# -------------------------------------------------------------------------
# note cut can be replaced with internal tring manipulation but, I prefer to use cut
# Purpose: add an IP over ssh
remoteipadd(){
	local client=$(cut -d':' -f1<<<"$1")
	local port=$(cut -d':' -f2<<<"$1")
	local wallif=$(cut -d':' -f3<<<"$1")
	local ip=$(cut -d':' -f4<<<"$1")
	local vuser=$(cut -d':' -f5<<<"$1")
	local vserver=$(cut -d':' -f6<<<"$1")
    cmd="ssh ${vuser}@${vserver} /sbin/iptables -I INPUT -i ${wallif} -s ${client} -d ${ip} -p tcp --destination-port ${port} -j ACCEPT"
    #echo "$cmd"
	$cmd
}
# Purpose: Delete an IP over ssh
remoteipdelete(){
	local client=$(cut -d':' -f1<<<"$1")
	local port=$(cut -d':' -f2<<<"$1")
	local wallif=$(cut -d':' -f3<<<"$1")
	local ip=$(cut -d':' -f4<<<"$1")
	local vuser=$(cut -d':' -f5<<<"$1")
	local vserver=$(cut -d':' -f6<<<"$1")
    cmd="ssh ${vuser}@${vserver} /sbin/iptables -D INPUT -i ${wallif} -s ${client} -d ${ip} -p tcp --destination-port ${port} -j ACCEPT"
    #echo "$cmd"
    $cmd
}
 
usage(){
	echo "Usage: $0 {open|close} \"clientIP:serverPort:SeverInterface:serverIP:sshUser:sshServer\""
	echo
    echo -e "\t$0 open \"1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com\""
    echo -e "\t$0 close \"1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com\""
    echo
    exit 1
}
 
line="$2"
 
[ $# -ne 2 ] && usage
 
case $1 in
	open) remoteipadd "$line";;
	close) remoteipdelete "$line";;
	*) usage
esac

You can create a text file call the script. A sample data.txt:

1.2.3.4:443:eth0:202.54.11.5:root:vpn.example.com
1.2.3.5:443:eth0:202.54.3.5:root:mysql.example.com
1.2.3.65:22:eth1:202.54.2.5:root:www08.example.com
22.12.33.5:80:eth1:202.54.12.5:root:www04.example.com

Run it as follows:

while IFS= read -r line; do  echo /path/to/script open "$line"; done <"/path/to/data.txt"

OR

while IFS= read -r line; do  echo /path/to/script close "$line"; done <"/path/to/data.txt"

See also:

  1. The while loop statement
  2. Shell functions
  3. Here strings
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 4 comments… read them below or add one }

1 Sarah Sensde October 22, 2009 at 11:19 am

This *won’t* work, of course, for PORT 22 rules stopping you from connecting to a box….

Reply

2 nixCraft October 22, 2009 at 12:26 pm

It all depends upon your setup. For example, most of our boxes have two interface:

* eth0 – VPN connected and ssh is always open on eth0
* eth1 – Public interface.

So you can run ssh over vpn connected and open IP for eth1.

Reply

3 Sarah Sensde October 22, 2009 at 12:33 pm

Then you would not have;

“PORT 22 rules stopping you from connecting to a box”

Would you! Derrrrrr

Reply

4 bregmann March 25, 2014 at 11:01 pm

You may use SecurityKISS rfw server to insert and delete iptables on the fly from the remote client.
The advantage is that the client does not need to have root access. It sends regular HTTP queries to the rfw that acts as a web service which manages server’s firewall.
See https://github.com/securitykiss-com/rfw for details.

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , ,

Previous Faq:

Next Faq: