Jun 12, 2012
tom
No Comments

Updating iptables access list on several servers

Question

I currently limit IP addresses that have access to my SSH service with a rule like this

 # accept already established 
 iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp  --source w.x.y.z/32 --dport 22 -j ACCEPT
 iptables -A INPUT -p tcp  --source a.b.c.d/32 --dport 22 -j ACCEPT #drop everyting else
 iptables -A INPUT -j DROP 
 iptables -P FORWARD DROP

Where w.x.y.z and a.b.c.d are the allowed IPs.

I have this rule on multiple servers.

What would be the best way to be able to add and remove IPs to the allowed list and reload all servers rules so the changes are effective?

Asked by Patrick Forget

Answer

The best solution would be to use some sort of system management tool such as Puppet, Spacewalk, etc. Where you can push out configuration files to multiple computers at once. This will help you in the long run for other things as well. However, if you don’t want to deal with all of the hassle of doing a central management type of setup, you could create ssh keys on all of the servers and then create scripts to modify and restart iptables.

  • Have SSH keys of all of your Linux server so you can do passwordless SSH logins
  • Create mod_iptables_servers.sh
    • ssh login@server1 ‘bash -s’ < change_iptables.sh
    • ssh login@server2 ‘bash -s’ < change_iptables.sh
    • ssh login@server3 ‘bash -s’ < change_iptables.sh
  • Create a change_iptables.sh script that will modify your firewall rules and restart iptables
  • Run mod_iptables_servers.sh, which should login to all of your Linux machines and execute the change_iptables.sh script.

While I would highly recommend the central management solution, this way would be able to get the job done. As a disclaimer, I have never tried this but used the answer from this question to get the correct syntax – http://stackoverflow.com/questions/305035/how-to-use-ssh-to-run-shell-script-on-a-remote-machine.

Answered by Eric

Check more discussion of this question.

Related posts:

  1. Shortest iptables command allowing only ssh access
  2. iptables Ubuntu VPS SSH rule
  3. IPTables: allow SSH access only, nothing else in or out
  4. IPTables configuration help
  5. iptables — am I doing this right?

Leave a comment