iptables

iptables – enforce rule within specific time

linux

I got a requirement to block all public access via port 443 for a maintenance window, so the developer can deploy and troubleshoot their application without any intervention from external unknown access by public

Instead of messing with the network team, we take it on a lower level, iptables!

# iptables -A INPUT -p tcp -m multiport --dports 443 -m time --timestart 18:00:00 --timestop 20:00:00 -j DROP

Explanation

  1. Append current set of rules in INPUT chain, -A INPUT
  2. The rule looking for connection that using TCP protocol, -p tcp
  3. Support multiple port, one of the port is 443, -m multiport --dports 443
  4. Between 18:00:00UTC and 20:00:00UTC, -m time --timestart 18:00:00 --timestop 20:00:00
  5. And drop the connection, -j DROP

Note: above timestart and timestop in iptables is using UTC, thus need to adjust the actual time according to your machine timezone.

Note: above iptables rule will block all incoming traffic to port 443, even from localhost. So make sure you have precede a rule that allow traffic from localhost..

Open firewalld permanently in CentOS 7

centos

CentOS 7 was shipped together with firewalld which a layer above iptables.

Unlike iptables, no rc.local need to be update to make sure a permanent firewall configuration with firewalld.

Command

  • To permanently open TCP port 80
    $ sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
  • The port is yet to open, unless we reboot the machine, else just reload service
    $ sudo firewall-cmd --reload
  • Make sure port open correctly by listing all allowed port/service
    $ firewall-cmd --list-all