Linux Iptables: Add / Delete An IP Address Remotely Using A Shell Script

I've root ssh access and need to add / delete a few IP address on fly using the IPtables command via local shell script. How do I add or delete an IP address remotely over the SSH session under CentOS / Redhat / RHEL / Debian / Ubuntu Linux?

SSH client is a program for logging into a remote machine and for executing commands on a remote machine.

Iptables command is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. You can add or delete matching rules using the Iptables command itself. You can easily add or remove iptables rules using the ssh client

Syntax: Add an IP Address

ssh user@box.example.com /sbin/iptables -I INPUT -i  eth0 -s 1.2.3.4 -j ACCEPT
ssh user@box.example.com /sbin/iptables -I INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2  -j ACCEPT
ssh user@box.example.com /sbin/iptables -I INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2 -p tcp --destination-port 443 -j ACCEPT

Syntax: Delete an IP Address

ssh user@box.example.com /sbin/iptables -D INPUT -i  eth0 -s 1.2.3.4 -j ACCEPT
ssh user@box.example.com /sbin/iptables -D INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2  -j ACCEPT
ssh user@box.example.com /sbin/iptables -D INPUT -i  eth0 -s 1.2.3.4 -d 202.54.1.2 -p tcp --destination-port 443 -j ACCEPT

Where,

• -I INPUT - Insert an IP address to INPUT table.
• -i eth0 : Interface name.
• -s 1.2.3.4: Allow 1.2.3.4 ip address to access the server.
• -d 202.54.1.2 : Server IP address.
• -p tcp --destination-port 443 : Allow only TCP port 443.
• -j ACCEPT - Action is set to allow connection from 1.2.3.4 client IP to server IP 202.54.1.2.

A Sample Shell Script

#!/bin/bash
# A sample shell script to add or delete an IP over remove ssh session in bulk or a single IP at a time
# Written by Vivek Gite, under GPL
# Usage:
# ./script.sh open  "1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com"
# ./script.sh close  "1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com"
# -------------------------------------------------------------------------
# note cut can be replaced with internal tring manipulation but, I prefer to use cut
# Purpose: add an IP over ssh
remoteipadd(){
 local client=$(cut -d':' -f1<<<"$1")
 local port=$(cut -d':' -f2<<<"$1")
 local wallif=$(cut -d':' -f3<<<"$1")
 local ip=$(cut -d':' -f4<<<"$1")
 local vuser=$(cut -d':' -f5<<<"$1")
 local vserver=$(cut -d':' -f6<<<"$1")
    cmd="ssh ${vuser}@${vserver} /sbin/iptables -I INPUT -i ${wallif} -s ${client} -d ${ip} -p tcp --destination-port ${port} -j ACCEPT"
    #echo "$cmd"
 $cmd
}
# Purpose: Delete an IP over ssh
remoteipdelete(){
 local client=$(cut -d':' -f1<<<"$1")
 local port=$(cut -d':' -f2<<<"$1")
 local wallif=$(cut -d':' -f3<<<"$1")
 local ip=$(cut -d':' -f4<<<"$1")
 local vuser=$(cut -d':' -f5<<<"$1")
 local vserver=$(cut -d':' -f6<<<"$1")
    cmd="ssh ${vuser}@${vserver} /sbin/iptables -D INPUT -i ${wallif} -s ${client} -d ${ip} -p tcp --destination-port ${port} -j ACCEPT"
    #echo "$cmd"
    $cmd
}
 
usage(){
 echo "Usage: $0 {open|close} \"clientIP:serverPort:SeverInterface:serverIP:sshUser:sshServer\""
 echo
    echo -e "\t$0 open \"1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com\""
    echo -e "\t$0 close \"1.2.3.4:443:eth0:202.54.1.5:root:www03.example.com\""
    echo
    exit 1
}
 
line="$2"
 
[ $# -ne 2 ] && usage
 
case $1 in
 open) remoteipadd "$line";;
 close) remoteipdelete "$line";;
 *) usage
esac

You can create a text file call the script. A sample data.txt:

1.2.3.4:443:eth0:202.54.11.5:root:vpn.example.com
1.2.3.5:443:eth0:202.54.3.5:root:mysql.example.com
1.2.3.65:22:eth1:202.54.2.5:root:www08.example.com
22.12.33.5:80:eth1:202.54.12.5:root:www04.example.com

Run it as follows:

while IFS= read -r line; do  echo /path/to/script open "$line"; done <"/path/to/data.txt"

OR

while IFS= read -r line; do  echo /path/to/script close "$line"; done <"/path/to/data.txt"