ipsets with Shorewall
This is an example that lets you use Shorewall https://shorewall.org/index.html and ipsets to dynamically whitelist IPs.
You can achieve great power with these simple steps:
- A systemd service script that creates and loads the
ipset
at startup. - Refer to the ipset name in your shorewall rules.
1. Systemd Service for Ipset
Create a systemd service that will run at startup to create and populate your ipset
. Here's how you can create this service:
Step 1: Create the ipset
Script
First, create a script that will define and load your ipset
. Let's call this script create_ipsets.sh
.
This script should already be in /usr/local/bin/opt/knocknoc-agent/scripts for recent knocknoc-agent releases, however you need to edit it to change the ipset name to suit your needs.
/opt/knocknoc-agent/scripts/create_ipsets.sh:
#!/bin/bash
# Name of the ipsets
IPSET_NAMES="knocknoc_blocked rdp_allowed rdp_blocked"
# Loop through each IPSET_NAME and apply commands
for IPSET_NAME in $IPSET_NAMES; do
# Flush if exists
ipset -exist flush $IPSET_NAME || true
# Create the ipset
ipset -exist create $IPSET_NAME hash:ip
done
Make sure to make it executable:
sudo chmod +x /usr/local/bin/create_ipset.sh
Step 2: Create the Systemd Service File
Create a new systemd service file called ipset.service
.
This script should already be in /opt/knocknoc-agent/scripts for recent knocknoc-agent releases, please copy it to /etc/systemd/system/
/etc/systemd/system/ipset.service:
[Unit]
Description=Create ipset for SSH KnockingKnocknoc
Before=ufw.service
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/local/bin/opt/knocknoc-agent/scripts/create_ipset.sh
[Install]
WantedBy=multi-user.target
This script sets up the service to run before UFW (as indicated by Before=ufw.service
) but after the network is available (After=network.target
).
Enable and start the service:
sudo systemctl daemon-reload
sudo systemctl enable ipset.service
sudo systemctl start ipset.service
2. Integrating Ipset with UFW
For integrating the ipset
with UFW, you will typically use direct iptables rules. However, UFW does not directly support ipset
in its regular configuration files, so you'll have to add these rules in the after.rules
file for them to be applied with UFW.
Add Rules to UFW's after.rules
Edit the /etc/ufw/after.rules
file to add your custom iptables rules referencing the ipset
.
# At the end of /etc/ufw/after.rules
-A ufw-after-input -m set --match-set knocknoc src -p tcp --dport 22 -j ACCEPT
COMMIT
This rule will allow SSH connections on port 22 for IP addresses that are in the knocknoc
ipset.
Notes and Considerations:
- Testing: Always test firewall and startup scripts in a controlled environment before deploying them on a production server. "Cutting your hands off" is too easy if you are not careful!
- Order of Execution: The systemd script needs to execute before UFW starts, hence the
Before=ufw.service
directive. Ensure that the network is available before the script runs.
With this setup, your system will create and populate the ipset
at startup, and UFW will utilize these sets to allow traffic as specified. This approach provides a balance between the simplicity of UFW and the power of ipset
and iptables. Always ensure to test and verify your configuration in a safe environment before applying it to a live system.