adding insert_iptable_ip

2024-03-20 11:28:46 -05:00 · 2024-03-20 11:28:46 -05:00 · 8fb339b3a2
commit 8fb339b3a2
parent b4328822c5
1 changed files with 46 additions and 0 deletions
--- a/shell/insert_iptable_ip.sh
+++ b/shell/insert_iptable_ip.sh
@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+#
+# given an chain, IP/NM and interface insert that IP as an accept into the
+# chain as the next to last rule before global DROP; for instance give
+# chain "hosts_allow":
+#
+# iptables -nL hosts_allow:
+#  Chain hosts_allow (1 references)
+#  target     prot opt source       destination
+#  ACCEPT     all  --  1.2.3.4/28   0.0.0.0/0
+#  ACCEPT     all  --  4.3.2.1/26   0.0.0.0/0
+#  ACCEPT     all  --  5.6.7.8/27   0.0.0.0/0
+#  ACCEPT     all  --  8.7.6.5/24   0.0.0.0/0
+#  ACCEPT     all  --  2.4.6.8/24   0.0.0.0/0
+#  DROP       all  --  0.0.0.0/0    0.0.0.0/0
+#
+# example: ./insert_iptable_ip.sh hosts_allow 1.3.5.7/32 eth0
+#
+# SPDX-License-Identifier: MIT
+
+# shellcheck disable=SC2046
+if [ $(id -u) -ne 0 ]; then
+  echo "Must be root, exiting."
+  exit 1
+fi
+
+if [ $# -ne 3 ]; then
+  echo "Usage:   $0   "
+  echo "Example: $0 hosts_allow 1.3.5.7/32 eth0"
+  exit 2
+fi
+
+T_CHAIN=$1
+T_IP=$2
+T_INT=$3
+
+# the chain list has two extra lines, subtract those
+C_NUM=$(iptables -nL "${T_CHAIN}" | wc -l)
+# shellcheck disable=SC2004
+C_NUM=$(($C_NUM-2))
+
+# insert the IP as the last number (iptables is 1-based) which will push
+# the final global DROP down one line
+iptables -I "${T_CHAIN}" "${C_NUM}" -i "${T_INT}" -s "${T_IP}" -j ACCEPT
+
+exit 0