Sometimes on Linux systems for one reason or another it is not practical to use the built-in iptables-services or iptables-persistent to handle your firewall rules. For example, cPanel/WHM manages its own firewall rule set and does not care what is in the normal iptables rules file.
A very straight forward solution to this is run a script in cron to check if your rules exist presently and if not, add them.
#!/bin/bash
# firewall.sh
# This script is run with cron to make sure iptables rules to block Portmap are present
function addrules {
iptables -I INPUT -m tcp -p tcp --dport 111 -j DROP -m comment --comment "Portmapper Vulnerability"
iptables -I INPUT -m udp -p udp --dport 111 -j DROP -m comment --comment "Portmapper Vulnerability"
}
numrulesfound=$(iptables -nL |grep -c "Portmapper Vulnerability")
if [ $numrulesfound -eq 0 ]; then
echo "Portmapper iptables rules NOT found, adding"
addrules
elif [ $numrulesfound -gt 0 ]; then
echo "$numrulesfound Portmapper iptables rules found, exiting"
fi
And some kind of cron to run it periodically:
0 * * * * /root/firewall.sh > /dev/null 2>&1