Simple IPTables Firewall with Whitelist and Blacklist

The following is a simple IPTables firewall script that can be used for general purposes.  It includes a port list and whitelist/blacklist.  The script was tested on CentOS v6 and Ubuntu v12.

Create the whitelist & blacklist files

These can remain empty until needed.

mkdir /etc/myfirewall
touch /etc/myfirewall/whitelist.txt
touch /etc/myfirewall/blacklist.txt

Enter one IP or domain per line as needed to permit or deny.  For example, to permit 1.1.1.1 and somedomain.com

nano /etc/myfirewall/whitelist.txt
1.1.1.1
​somedomain.com

Note about DNS domains and iptables.

If your whitelist specifies a domain, it is the resolved IP address that is added to the ipables rule.  So any change in the IP address of a domain in a whitelist or blacklist will require the firewall script to be re-run.

Create the firewall script

Located IPtables on your distribution and alter the IPTABLES= line in the script accordingly.

which iptables
which iptables-save

For non standard SSH port and to allow or deny other ports alter ALLOWED= line accordingly

nano /etc/myfirewall/firewall.sh
#!/bin/bash
#
## Simple IPTables Firewall with Whitelist & Blacklist
#
## List Locations
#

WHITELIST=/etc/myfirewall/whitelist.txt
BLACKLIST=/etc/myfirewall/blacklist.txt

#
## Specify ports you wish to use.
## For port listing reference see http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
## To add port range separate by ":" with no spaces.  Ie. "10000:20000"
#

ALLOWED="22 25 53 80 443 465 587 993"

#
## Specify where IP Tables is located
#

IPTABLES=/sbin/iptables
IPTABLES_SAVE=/sbin/iptables-save

#
## Save current iptables running configuration in case we want to revert back
## To restore using our example we would run "/sbin/iptables-restore < /usr/src/iptables.last"
#

$IPTABLES_SAVE > /usr/local/etc/iptables.last

#
## Clear current rules
#
## If current INPUT policy is set to DROP we will be locked out once we flush the rules
## so we must first ensure it is set to ACCEPT.
#
$IPTABLES -P INPUT ACCEPT
echo 'Setting default INPUT policy to ACCEPT'

$IPTABLES -F
echo 'Clearing tables'
$IPTABLES -X
echo 'Deleting user defined chains'
$IPTABLES -Z
echo 'Zero chain counters'

#Always allow localhost.
echo 'Allowing Localhost'
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT

#
##The following rule ensures that established connections are not checked.
##It also allows for things that may be related but not part of those connections such as ICMP.
#

$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#
## Whitelist
#

for x in `grep -v ^# $WHITELIST | awk '{print $1}'`; do
echo "Permitting $x..."
$IPTABLES -A INPUT -s $x -j ACCEPT
done

#
## Blacklist
#

for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
echo "Denying $x..."
$IPTABLES -A INPUT -s $x -j DROP
done

#
## Permitted Ports
#

for port in $ALLOWED; do
echo "Accepting port TCP $port..."
$IPTABLES -A INPUT -p tcp --dport $port -j ACCEPT
done

for port in $ALLOWED; do
echo "Accepting port UDP $port..."
$IPTABLES -A INPUT -p udp --dport $port -j ACCEPT
done

#
## NOTE: Test this script first to make sure it works as expected.
## Run "iptables -vnL" to ensure the rules are as expected and that your SSH port is correct.
##
## When you are sure this script works properly uncomment the following 2 lines to enforce the rules.
#

# $IPTABLES -A INPUT -p udp -j DROP
# $IPTABLES -A INPUT -p tcp --syn -j DROP

#
## Save the rules so they are persistent on reboot.
#
/etc/init.d/iptables save
Make the script executable and run.
chmod +x /etc/myfirewall/firewall.sh
/etc/myfirewall/firewall.sh
Check rules.
​iptables -vnL

Once you are sure the script is working properly with the proper SSH port allowed you can uncommend the two lines at the bottom of the script and run again to fully enable it.

Ubuntu iptables persistence

If using Ubuntu, install the persistent package.

apt-get install iptables-persistent 

Change the last line in the firewall script to:

$IPTABLES_SAVE > /etc/iptables/rules.v4