Firewall script without service

Sometimes on Linux systems for one reason or another it is not practical to use the built-in iptables-services or iptables-persistent to handle your firewall rules. For example, cPanel/WHM manages its own firewall rule set and does not care what is in the normal iptables rules file.

A very straight forward solution to this is run a script in cron to check if your rules exist presently and if not, add them.

#!/bin/bash
# firewall.sh
# This script is run with cron to make sure iptables rules to block Portmap are present

function addrules {
  iptables -I INPUT -m tcp -p tcp --dport 111 -j DROP -m comment --comment "Portmapper Vulnerability"
  iptables -I INPUT -m udp -p udp --dport 111 -j DROP -m comment --comment "Portmapper Vulnerability"
}

numrulesfound=$(iptables -nL |grep -c "Portmapper Vulnerability")

if [ $numrulesfound -eq 0 ]; then
  echo "Portmapper iptables rules NOT found, adding"
  addrules
elif [ $numrulesfound -gt 0 ]; then
  echo "$numrulesfound Portmapper iptables rules found, exiting"
fi

And some kind of cron to run it periodically:

0 * * * * /root/firewall.sh > /dev/null 2>&1
, , , ,