|
1 | | -# rifc |
2 | | -Remote IP-list Firewall Configurer |
| 1 | +# RIFC |
| 2 | + |
| 3 | +RIFC (IP-list Firewall Configurer) is a Linux shell script for use with `iptables` to create a chain with a list of IP addresses (or networks) that should be allowed according to that chain. This chain can then be used as a white-list for other chains that govern access to specific services. |
| 4 | + |
| 5 | +In other words, it's so that you can keep a text file with a list of IP or network addresses and mirror that list as a chain as a white-list in a Linux firewall. |
| 6 | + |
| 7 | +## Assumptions |
| 8 | + |
| 9 | +**This script was originally only written for the personal use of the author and is published mostly because hey, why not?** The author will gladly help, but just keep in mind that it wasn't published with wide-spread use in mind. |
| 10 | + |
| 11 | +* The user is assumed to know how to use `iptables`. In particular, the firewall is assumed to appropriately block connections if RIFC hasn't allowed them. On its own, RIFC won't disallow or block anything; only allow. |
| 12 | + |
| 13 | +* The given `iptables` chain is assumed to exist. |
| 14 | + |
| 15 | +* The URL is assumed to be accessible (consequently, that you are able to host a text file at some URL). |
| 16 | + |
| 17 | +* The file at the URL is assumed to contain a newline-separated list of IP or network addresses. |
| 18 | + |
| 19 | +## Usage |
| 20 | + |
| 21 | +RIFC must be run as the root user because it manages the firewall. |
| 22 | + |
| 23 | + sudo rifc https://example.com/list-of-allowed-ips.txt EXAMPLE_IPS |
| 24 | + |
| 25 | +Typically, you'll want to run it with some sort of scheduler like `cron`, at least if you want the chain (EXAMPLE_IPS) to be updated when the text file is updated. |
| 26 | + |
| 27 | +### Example |
| 28 | + |
| 29 | +Let's say that you have an SSH server (TCP port 22) that you only want accessible to the IP address `123.123.123.123` and the network `234.234.234.234/22` (neither of which make sense but that's beside the point). |
| 30 | + |
| 31 | +For this circumstance, we create a text file containing: |
| 32 | + |
| 33 | + 123.123.123.123 |
| 34 | + 234.234.234.234/22 |
| 35 | + |
| 36 | +We'll need to host this text file at some URL and assume that it is `https://example.com/list-of-networks.txt`. |
| 37 | + |
| 38 | +Then we'll create an `iptables` chain which we'll name `SERVICE_SSH` (but can be called whatever you want) on the firewall: |
| 39 | + |
| 40 | + sudo iptables -N SERVICE_SSH |
| 41 | + |
| 42 | +We will then tell the `INPUT` chain that we'll want connection to SSH (TCP port 22) to go by this new chain: |
| 43 | + |
| 44 | + sudo iptables -A INPUT -p tcp --dport 22 -j SERVICE_SSH |
| 45 | + |
| 46 | +And then, finally, you'll run RIFC: |
| 47 | + |
| 48 | + sudo rifc https://example.com/list-of-networks.txt SERVICE_SSH |
| 49 | + |
| 50 | +The output should be something like: |
| 51 | + |
| 52 | + Adding IP 123.123.123.123... done |
| 53 | + Adding IP 234.234.234.234/22... done |
| 54 | + |
| 55 | +And then, if you were to delete the first line and re-run RIFC: |
| 56 | + |
| 57 | + Removing IP 123.123.123.123... done |
| 58 | + |
| 59 | +At that point, the IPs and networks specified in `https://example.com/list-of-networks.txt` will be mirrored in the `iptables` chain `SERVICE_SSH`. Connections from those IPs and networks should be accepted by the firewall from then on. |
| 60 | + |
| 61 | +Hopefully, that makes sense. If you have any problems, don't hesitate just sending the author an email. |
| 62 | + |
| 63 | +## Authors |
| 64 | + |
| 65 | +* Helgi Hrafn Gunnarsson <helgi@binary.is> |
0 commit comments