Script automatically restart IPtables service in CentOS 7

by Daniel Pham
Published: Updated:

Script automatically restart IPtables service. In this article, I will give you a script to do that.

Firewall IPtables and brute force ssh

What is the story? I have a vps, I have set up IPtables firewall for it and it works pretty well.

But there’s a problem, about a week ago, that vps providers had a power problem and they had to restart the physical server. That is something no one wants.

Today, I checked that log ssh login failed a lot, my vps is being brute force ssh. But I’m sure it wasn’t before because I changed the port ssh and set up auto-blocking brute force ssh on IPtables.

I check IPtables service, it doesn’t work. Why is that?

I started checking the log message and found the following log. IPtables cannot auto start when reboot vps because the dns service failed. I have domain configuration in IPtables.

May 28 07:00:32 centos7 systemd: Starting IPv4 firewall with iptables...
May 28 07:00:32 centos7 iptables.init: iptables: Applying firewall rules: iptables-restore v1.4.21: host/network `ntp.vng.vn' not found
May 28 07:00:32 centos7 systemd: Failed to start IPv4 firewall with iptables.
May 28 07:00:32 centos7 systemd: Starting IPv6 firewall with ip6tables...
May 28 07:00:32 centos7 ip6tables.init: ip6tables: Applying firewall rules: [  OK  ]
May 28 07:00:32 centos7 systemd: Started IPv6 firewall with ip6tables.

To prevent it from recurring this, I thought about writing a script, automatically checking the IPtables service and restarting it if it didn’t run.

Script automatically restart IPtables service

script automatically restart iptables service in centos 7
Script automatically restart IPtables service in CentOS 7.

First, we will create a directory to contain the script and configuration files to use.

mkdir /opt/scripts
mkdir /opt/scripts/config

Set permission 700 for this folder to make sure other users cannot read it.

chmod 700 /opt/scripts

Next, copy the current iptables configuration file to use it in the script.

cp /etc/sysconfig/iptables /opt/scripts/config/

Now, create the script /opt/scripts/01-check-iptables.sh with the content below.

You see the PATH line at the beginning of the script. You can read this article to understand why it is needed. If that line is missing, the script will not work.

PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/user/.local/bin:/home/user/bin
#!/bin/bash
# Script use to check iptables running?
# If it not running, restart service iptables.

# Function get iptables status
f_iptables_status () {
	STATUS=`service iptables status | grep Active: | awk '{print $2}'`

	# If iptables status not equal "active"
	if [[ "$STATUS" != "active" ]]; then
		# Call function restart service iptables
		f_restart_iptables
	fi
}

# Function restart service iptables
f_restart_iptables () {
	FILE="/etc/sysconfig/iptables"
	
	# Check if iptables file not exist
	if [[ -f "$FILE" ]]; then
		service iptables restart
	# If iptables file not exist, copy from /opt/scripts/config/iptables to start service
	else
		cp /opt/scripts/config/iptables /etc/sysconfig/iptables
		service iptables restart
	fi
}

# Function main
f_main () {
	f_iptables_status
}
f_main

exit

You can download the script at this link.

The script has 2 functions as follows.

  • f_iptables_status: get the status of IPtables, if it is not active then call the function f_restart_iptables.
  • f_restart_iptables: check if there is an iptables configuration file, restart the service. If there is no configuration file, copy it from the config directory (we created above) and restart the IPtables service.

Set crontab for script

Now, type the following command to create a new crontab.

crontab -e

Copy below line to crontab file. This script executes once every minute. That is, every minute it will check the IPtables service and restart if it does not run.

*/1 * * * * /usr/bin/bash /opt/scripts/01-check-iptables.sh

Check if the script works

Now, you can stop the IPtables service and see if the script works as expected.

Also, you can check the log file to see if crontab works. It’s look like this.

Jun  3 15:18:01 centos7 CROND[19878]: (root) CMD (/usr/bin/bash /opt/scripts/01-check-iptables.sh)
Jun  3 15:19:01 centos7 CROND[20776]: (root) CMD (/usr/bin/bash /opt/scripts/01-check-iptables.sh)

Conclusion

This script is quite simple. Its operating principle is also very simple. Every minute, it checks whether the IPtables service is running. If it doesn’t, restart the service to make sure the server is secure.

One thing to keep in mind, you should note that the IPtables file is correctly configured. Because if it is configured incorrectly, restarting it automatically may accidentally block you.

(This is an article from my old blog that has been inactive for a long time, I don’t want to throw it away so I will keep it and hope it helps someone).

0 0 votes
Article Rating

You may also like

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

DevOps Lite is a personal blog specializing in technology with main topics about DevOps, DevSecOps, SRE and System Administrator. Articles are shared for free and contributed to the community.

SUPPORT US

FOLLOW US

Subscribe my Newsletter for new blog posts. Stay updated from your inbox!

© 2021-2024 DevOpsLite.com – All rights reserved.

Please write sources “DevOpsLite.com” when using articles from this website.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

2
0
Would love your thoughts, please comment.x
()
x

Adblock Detected

Please support us by disabling your AdBlocker extension from your browsers for our website.