0

On a router running unix I wish to make monitor all outgoing packets, of these packets I want to temporarily white list IP addresses I am connecting to, to both send and receive.

Basically to create a pinhole in a firewall that normally would drop all incoming packets (drops all packets except white listed ones, which were white listed by this script based on ips I send a packet to connect to). In looking around I could make a bash script based off a packet sniffer, but is there a way to do it within iptables itself and not have to involve a packet sniffer and bash script?

1 Answers1

1

This already exists in the form of the Connection Tracking module in iptables. This Digital Ocean tutorial describes this and contemporary distributions often implement this by default.

Before doing this be sure you have a way to get back in if you lock yourself out.

Essentially:

iptables -A INPUT -s YOUR-TRUSTED-HOST -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT -j DROP

All incoming packets are dropped unless they relate to an established connection.

A shell based mechanism is likely to be too slow to keep up with the rate at which machines create connections.

jscott
  • 24,204
  • 8
  • 77
  • 99
Jason Martin
  • 4,865
  • 15
  • 24