I wanted a custom IPTables firewall chain to allow SSH access to a machine. The idea is that users hit a web page that adds their dynamic IP address to a list and then a script inserts that IP address into IPTables to allow SSH access. I achieved this as follows.
In /etc/sysconfig/iptables I added:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-N sshaccess
-A INPUT -j sshaccess
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
Then a script run regularly from cron (below) flushes the existing rules and re-adds each to our ‘sshaccess’ chain before ‘-j RETURN’ing control back to the INPUT chain.
FILE="/path/to/ip_address_allowed_ssh_access.txt"
if [ -f $FILE ]; then
IP_ADDRESSES=$(/bin/cat $FILE | /bin/egrep -v '^;' | /bin/awk '{ print $1}')
/sbin/iptables --flush sshaccess
for IP_ADDRESS in $IP_ADDRESSES
do
/sbin/iptables -A sshaccess -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 22 --source $IP_ADDRESS -j ACCEPT
done
/sbin/iptables -A sshaccess -j RETURN
fi
