iptables rules for dynamic ip

Delete current rule if this exist

iptables -nvL FORWARD --line-number | grep 'yourDomainHere.ddns.net' | awk '{ print $1 }' | xargs -I% iptables -D INPUT %

Add a new rule with the current IP

getent ahostsv4 yourDomainHere.ddns.net | tail -1 | awk '/^[0-9]/ { print $1 }' | xargs -I% iptables -I FORWARD -s %/32 -p tcp -m multiport --dports 20,21 -m comment --comment "yourDomainHere.ddns.net" -j ACCEPT

Shell Script to change IP on firewall and log this

#!/bin/bash
# Allow FTP on Firewall for dynamic IPs

HOSTS=( insertHereHost1.ddns.net insertHereHost2.ddns.net )

for i in ${HOSTS[*]}; do

  /sbin/iptables -nvL INPUT | grep $i > /dev/null
  if [ $? -ne 0 ];then

    echo '[' $( date '+%d/%m/%Y %R' ) '] There was no entry for HOST' $i 'on firewall' | tee -a /var/log/$( basename $0 ).log
   /sbin/iptables -I INPUT -s $i/32 -p tcp -m multiport --dports 20,21 -m comment --comment "$i" -j ACCEPT

  elif [ $( getent ahostsv4 $i | tail -1 | awk '/^[0-9]/ { print $1 }' ) != $( /sbin/iptables -nvL INPUT | grep $i | awk '{ print $8 }' ) ]; then

    echo '[' $( date '+%d/%m/%Y %R' ) '] HOST' $i 'IP changed:' $( getent ahostsv4 $i | tail -1 | awk '/^[0-9]/ { print $1 }' ) 'traffic with old IP:' $( /sbin/iptables -nvL INPUT | grep $i | awk '{ print $1 }' ) | tee -a /var/log/$( basename $0 ).log

    /sbin/iptables -nvL INPUT --line-number | grep $i | awk '{ print $1 }' | xargs -I% /sbin/iptables -D INPUT %
    /sbin/iptables -I INPUT -s $i/32 -p tcp -m multiport --dports 20,21 -m comment --comment "$i" -j ACCEPT
  fi
done

Advertisements

install geoip iptables module centos 7

1 – Install packages

yum install gcc gcc-c++ make automake unzip zip xz kernel-devel-`uname -r` wget unzip iptables-devel perl-Text-CSV_XS

2 – Download and decompress xtables-addons

wget http://ufpr.dl.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-2.14.tar.xz
tar -xvf xtables-addons-2.14.tar.xz
cd xtables-addons-2.14

3 – Compile xtables-addons

./configure
sed -i '/xt_TARPIT.o$/s/^/#/' extensions/Kbuild
make && make install

4 – Download and install geoip database

cd geoip
./xt_geoip_dl
./xt_geoip_build GeoIPCountryWhois.csv
mkdir -p /usr/share/xt_geoip
cp -r {BE,LE} /usr/share/xt_geoip
modprobe xt_geoip

5 – Insert a firewall rule to test

iptables -A FORWARD -m geoip --src-cc BR,JP,FR -j DROP

block countries with iptables

#!/bin/bash
# block countries with iptables based on list with range of ips

# download list with range of countries ips
rm -rf /tmp/all-zones*; wget -nc http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz -P /tmp

mkdir /tmp/all-zones; tar -xzvf /tmp/all-zones.tar.gz -C $_

COUNTRIES_ISO_CODE_LIST=(af cu mo)

for country_iso_code in ${COUNTRIES_ISO_CODE_LIST[*]}; do

  for country_ip in $( cat /tmp/all-zones/$country_iso_code.zone ); do
    echo creating rules to $country_iso_code $country_ip
    /sbin/iptables -A INPUT -s $country_ip -m comment --comment "rule to $( echo $country_iso_code | tr '[:lower:]' '[:upper:]' ) country" -j DROP
  done
done