Adding my current IP to whitelist on iptables?

Question

I'm pretty new to setting up game server but I want to block rcon to every ip except the ones that are whitelisted.

First I'm gonna use this trhough SSH:

iptables -A INPUT -p tcp --destination-port 27015 -j LOG --log-prefix "SRCDS-RCON " -m limit --limit 1/m --limit-burst 1
iptables -A INPUT -p tcp --destination-port 27015 -j DROP

After that I want that when a user runs a bash script or something similar, it detects the user IP and add it to the whitelist automatically.

How can I do this?

Answer 1

Assuming :

• the bash script is run on the server
• the users logs in using ssh

You could create an ipset :

First, add this rule in iptables :

iptables -A INPUT -i eth0 -m set --match-set whitelist src -p tcp --destination-port 27015 -j ACCEPT

Then create a set :

sudo ipset -N whilelist iphash

Finally, add a script like this, using SSH_CONNECTION environment variable :

#!/bin/bash
USER_IP=$(echo $SSH_CONNECTION | cut -f1 -d' ')
sudo ipset -A whitelist $USER_IP

You could even add those two lines at the end of /root/.bash_profile so it gets done automagically when someone connects as root.

However, this assumes your friends are connecting as root via ssh. Since this is not desirable, you could use a temporary directory to hold the ip addresses, and add a cron job to fill the ipset hash :

• Create /etc/cron.d/check_ipset with :

  * * * * *   root    /usr/local/bin/check_ipset
  

• Create /usr/local/bin/check_ipset (and chmod 700) :

  #!/bin/bash
  for i in `cat /tmp/ipset_pending | sort -u`; do 
    ipset -A whitelist $i
  done
  cat /dev/null > /tmp/ipset_pending
  

• Add this to every user's .bash_profile :

  ...
  echo $SSH_CONNECTION | cut -f1 -d' ' >> /tmp/ipset_pending
  ...
  

Didn't test, so YMMV, but this should be close enough.