Simple IPTables Firewall with Whitelist and Blacklist

Create the whitelist & blacklist files

These can remain empty until needed.

mkdir /etc/myfirewall
touch /etc/myfirewall/whitelist.txt
touch /etc/myfirewall/blacklist.txt

Enter one IP or domain per line as needed to permit or deny.  For example, to permit 1.1.1.1 and somedomain.com

nano /etc/myfirewall/whitelist.txt

1.1.1.1
​somedomain.com

Note about DNS domains and iptables.

If your whitelist specifies a domain, it is the resolved IP address that is added to the ipables rule.  So any change in the IP address of a domain in a whitelist or blacklist will require the firewall script to be re-run.

Create the firewall script

Located IPtables on your distribution and alter the IPTABLES= line in the script accordingly.

which iptables
which iptables-save

For non standard SSH port and to allow or deny other ports alter ALLOWED= line accordingly

nano /etc/myfirewall/firewall.sh

#!/bin/bash
#
## Simple IPTables Firewall with Whitelist & Blacklist
#
## List Locations
#

WHITELIST=/etc/myfirewall/whitelist.txt
BLACKLIST=/etc/myfirewall/blacklist.txt

#
## Specify ports you wish to use.
## For port listing reference see http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
## To add port range separate by ":" with no spaces.  Ie. "10000:20000"
#

ALLOWED="22 25 53 80 443 465 587 993"

#
## Specify where IP Tables is located
#

IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save

#
## Save current iptables running configuration in case we want to revert back
## To restore using our example we would run "/sbin/iptables-restore < /usr/src/iptables.last"
#

$IPTABLES_SAVE > /usr/local/etc/iptables.last

#
## Clear current rules
#
## If current INPUT policy is set to DROP we will be locked out once we flush the rules
## so we must first ensure it is set to ACCEPT.
#
$IPTABLES -P INPUT ACCEPT
echo 'Setting default INPUT policy to ACCEPT'

$IPTABLES -F
echo 'Clearing tables'
$IPTABLES -X
echo 'Deleting user defined chains'
$IPTABLES -Z
echo 'Zero chain counters'

#Always allow localhost.
echo 'Allowing Localhost'
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT

#
##The following rule ensures that established connections are not checked.
##It also allows for things that may be related but not part of those connections such as ICMP.
#

$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#
## Whitelist
#

for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
echo "Permitting $x..."
$IPTABLES -A INPUT -s $x -j ACCEPT
done

#
## Blacklist
#

for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
echo "Denying $x..."
$IPTABLES -A INPUT -s $x -j DROP
done

#
## Permitted Ports
#

for port in $ALLOWED; do
echo "Accepting port TCP $port..."
$IPTABLES -A INPUT -p tcp --dport $port -j ACCEPT
done

for port in $ALLOWED; do
echo "Accepting port UDP $port..."
$IPTABLES -A INPUT -p udp --dport $port -j ACCEPT
done

#
## NOTE: Test this script first to make sure it works as expected.
## Run "iptables -vnL" to ensure the rules are as expected and that your SSH port is correct.
##
## When you are sure this script works properly uncomment the following 2 lines to enforce the rules.
#

# $IPTABLES -A INPUT -p udp -j DROP
# $IPTABLES -A INPUT -p tcp --syn -j DROP

#
## Save the rules so they are persistent on reboot.
#
/etc/init.d/iptables save

Make the script executable and run.

chmod +x /etc/myfirewall/firewall.sh
/etc/myfirewall/firewall.sh

Check rules.

​iptables -vnL

Once you are sure the script is working properly with the proper SSH port allowed you can uncommend the two lines at the bottom of the script and run again to fully enable it.

 

#!/bin/bash

yum install -y iptables-services 

systemctl start iptables && systemctl enable iptables

iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -s   192.168.0.197,192.168.0.198,192.168.0.199,192.168.0.200,192.168.0.201,192.168.0.202,192.168.0.203,192.168.0.204,192.168.0.205   -j ACCEPT  

iptables -A INPUT -s   11.2.64.0/24 -j ACCEPT   #堡垒机ip地址

iptables -A INPUT -s   172.19.0.0/16 -j ACCEPT   # k8s svc网段

iptables -A INPUT -s   172.16.0.0/16 -j ACCEPT   # k8s pod网段

iptables -A INPUT -s   127.0.0.0  -j ACCEPT

iptables -A INPUT -s   172.17.0.1/16 -j ACCEPT



iptables -A INPUT  -j DROP  #禁止除上面白名单列表外的ip机器访问本机

service iptables save