To help to protect servers from remote attacks such as ssh service 3306 database services, or windows remote desktop. for dynamically updating firewall whitelist based from DNS TXT record
-
Use , you can add it to crontab
python firewall_update_linux.py ip.txt.example.com -
add following line to your iptables configure file
-A INPUT -m set --match-set trusted src -j ACCEPT
/etc/sysconfig/iptables -
and Comment out the following line
You can find this line
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Change into
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
- If you want automatically create ipset on startup please check systemd-ipset by BroHui
- If you iptables including a Non-existent ipset, iptables service will broken won't start, that's why we need systemd-ipset
you can add IPv4 address or subnet. if you want add multiple IP or subnets you can use ',' split, also you can add txt alone for per ip address/subnet
- Example
host type record
ip.txt TXT "1.1.1.1,2.2.2.2/32"
ip.txt TXT "3.3.3.3"
ip.txt TXT "4.4.4.0/24"
- You can use pyinstaller to Build EXE binary
pyinstaller -F firewall_update_win.py - CDM to create a Schtasks(Update in minute)
Schtasks /create /tn "Firewall_Update" /RU SYSTEM /sc daily /st 00:00 /RI 1 /K /DU 24:00 /tr "C:\Windows\system32\firewall_update_win.exe ip.txt.example.com"