I currently limit IP addresses that have access to my SSH service with a rule like this
# accept already established iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --source w.x.y.z/32 --dport 22 -j ACCEPT iptables -A INPUT -p tcp --source a.b.c.d/32 --dport 22 -j ACCEPT #drop everyting else iptables -A INPUT -j DROP iptables -P FORWARD DROP
Where w.x.y.z and a.b.c.d are the allowed IPs.
I have this rule on multiple servers.
What would be the best way to be able to add and remove IPs to the allowed list and reload all servers rules so the changes are effective?
The best solution would be to use some sort of system management tool such as Puppet, Spacewalk, etc. Where you can push out configuration files to multiple computers at once. This will help you in the long run for other things as well. However, if you don’t want to deal with all of the hassle of doing a central management type of setup, you could create ssh keys on all of the servers and then create scripts to modify and restart iptables.
- Have SSH keys of all of your Linux server so you can do passwordless SSH logins
- Create mod_iptables_servers.sh
- ssh login@server1 ‘bash -s’ < change_iptables.sh
- ssh login@server2 ‘bash -s’ < change_iptables.sh
- ssh login@server3 ‘bash -s’ < change_iptables.sh
- Create a change_iptables.sh script that will modify your firewall rules and restart iptables
- Run mod_iptables_servers.sh, which should login to all of your Linux machines and execute the change_iptables.sh script.
While I would highly recommend the central management solution, this way would be able to get the job done. As a disclaimer, I have never tried this but used the answer from this question to get the correct syntax – http://stackoverflow.com/questions/305035/how-to-use-ssh-to-run-shell-script-on-a-remote-machine.
Leave a comment
- Windows File Permissions and Attributes
- What is the easiest way to upgrade my existing Perl 5.14 to Perl 5.16 on FreeBSD 9 using the ports system?
- Know if mysql has done its job
- Redirect https .com to https .co.uk without a valid SSL cert on .com without DNS change
- Why is it a bad idea to use customer email as from address