Linux Iptables: Add / Delete An IP Address Remotely Using A Shell Script

by Vivek Gite on October 22, 2009 · 3 comments

I've root ssh access and need to add / delete a few IP address on fly using the IPtables command via local shell script. How do I add or delete an IP address remotely over the SSH session under CentOS / Redhat / RHEL / Debian / Ubuntu Linux?

SSH client is a program for logging into a remote machine and for executing commands on a remote machine.

Iptables command is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. You can add or delete matching rules using the Iptables command itself. You can easily add or remove iptables rules using the ssh client

Syntax: Add an IP Address

ssh user@box.example.com /sbin/iptables -I INPUT -i  eth0 -s 1.2.3.4 -j ACCEPT
ssh user@box.example.com /sbin/iptables -I INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2  -j ACCEPT
ssh user@box.example.com /sbin/iptables -I INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2 -p tcp --destination-port 443 -j ACCEPT

Syntax: Delete an IP Address

ssh user@box.example.com /sbin/iptables -D INPUT -i  eth0 -s 1.2.3.4 -j ACCEPT
ssh user@box.example.com /sbin/iptables -D INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2  -j ACCEPT
ssh user@box.example.com /sbin/iptables -D INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2 -p tcp --destination-port 443 -j ACCEPT

Where,

  • -I INPUT - Insert an IP address to INPUT table.
  • -i eth0 : Interface name.
  • -s 1.2.3.4: Allow 1.2.3.4 ip address to access the server.
  • -d 202.54.1.2 : Server IP address.
  • -p tcp --destination-port 443 : Allow only TCP port 443.
  • -j ACCEPT - Action is set to allow connection from 1.2.3.4 client IP to server IP 202.54.1.2.

A Sample Shell Script

#!/bin/bash
# A sample shell script to add or delete an IP over remove ssh session in bulk or a single IP at a time
# Written by Vivek Gite, under GPL
# Usage:
# ./script.sh open  "1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com"
# ./script.sh close  "1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com"
# -------------------------------------------------------------------------
# note cut can be replaced with internal tring manipulation but, I prefer to use cut
# Purpose: add an IP over ssh
remoteipadd(){
	local client=$(cut -d':' -f1<<<"$1")
	local port=$(cut -d':' -f2<<<"$1")
	local wallif=$(cut -d':' -f3<<<"$1")
	local ip=$(cut -d':' -f4<<<"$1")
	local vuser=$(cut -d':' -f5<<<"$1")
	local vserver=$(cut -d':' -f6<<<"$1")
    cmd="ssh ${vuser}@${vserver} /sbin/iptables -I INPUT -i ${wallif} -s ${client} -d ${ip} -p tcp --destination-port ${port} -j ACCEPT"
    #echo "$cmd"
	$cmd
}
# Purpose: Delete an IP over ssh
remoteipdelete(){
	local client=$(cut -d':' -f1<<<"$1")
	local port=$(cut -d':' -f2<<<"$1")
	local wallif=$(cut -d':' -f3<<<"$1")
	local ip=$(cut -d':' -f4<<<"$1")
	local vuser=$(cut -d':' -f5<<<"$1")
	local vserver=$(cut -d':' -f6<<<"$1")
    cmd="ssh ${vuser}@${vserver} /sbin/iptables -D INPUT -i ${wallif} -s ${client} -d ${ip} -p tcp --destination-port ${port} -j ACCEPT"
    #echo "$cmd"
    $cmd
}
 
usage(){
	echo "Usage: $0 {open|close} \"clientIP:serverPort:SeverInterface:serverIP:sshUser:sshServer\""
	echo
    echo -e "\t$0 open \"1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com\""
    echo -e "\t$0 close \"1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com\""
    echo
    exit 1
}
 
line="$2"
 
[ $# -ne 2 ] && usage
 
case $1 in
	open) remoteipadd "$line";;
	close) remoteipdelete "$line";;
	*) usage
esac

You can create a text file call the script. A sample data.txt:

1.2.3.4:443:eth0:202.54.11.5:root:vpn.example.com
1.2.3.5:443:eth0:202.54.3.5:root:mysql.example.com
1.2.3.65:22:eth1:202.54.2.5:root:www08.example.com
22.12.33.5:80:eth1:202.54.12.5:root:www04.example.com

Run it as follows:

while IFS= read -r line; do  echo /path/to/script open "$line"; done <"/path/to/data.txt"

OR

while IFS= read -r line; do  echo /path/to/script close "$line"; done <"/path/to/data.txt"

See also:

  1. The while loop statement
  2. Shell functions
  3. Here strings

Featured Articles:

Share this with other sys admins!
Facebook it - Tweet it - Print it -

{ 3 comments… read them below or add one }

1 Sarah Sensde October 22, 2009

This *won’t* work, of course, for PORT 22 rules stopping you from connecting to a box….

Reply

2 Vivek Gite October 22, 2009

It all depends upon your setup. For example, most of our boxes have two interface:

* eth0 – VPN connected and ssh is always open on eth0
* eth1 – Public interface.

So you can run ssh over vpn connected and open IP for eth1.

Reply

3 Sarah Sensde October 22, 2009

Then you would not have;

“PORT 22 rules stopping you from connecting to a box”

Would you! Derrrrrr

Reply

Leave a Comment

You can use these HTML tags and attributes for your code and commands: <strong> <em> <ol> <li> <u> <ul> <blockquote> <pre> <a href="" title="">
What is 11 + 10 ?
Please leave these two fields as-is:
Solve the simple math so we know that you are a human and not a bot.




Tagged as: , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: