Script automatically restart IPtables service in CentOS 7

Share this post to your friends !

Script automatically restart IPtables service in CentOS 7
5 (100%) 1 vote[s]

WriteBash - Script automatically restart IPtables service. In this article, I will give you a script to do that.

Firewall IPtables and brute force ssh

What is the story? I have a vps, I have set up IPtables firewall for it and it works pretty well.

But there’s a problem, about a week ago, that vps providers had a power problem and they had to restart the physical server. That is something no one wants.

Today, I checked that log ssh login failed a lot, my vps is being brute force ssh. But I’m sure it wasn’t before because I changed the port ssh and set up auto-blocking brute force ssh on IPtables.

I check IPtables service, it doesn’t work. Why is that?

I started checking the log message and found the following log. IPtables cannot auto start when reboot vps because the dns service failed. I have domain configuration in IPtables.

May 28 07:00:32 centos7 systemd: Starting IPv4 firewall with iptables...
May 28 07:00:32 centos7 iptables.init: iptables: Applying firewall rules: iptables-restore v1.4.21: host/network `ntp.vng.vn' not found
May 28 07:00:32 centos7 systemd: Failed to start IPv4 firewall with iptables.
May 28 07:00:32 centos7 systemd: Starting IPv6 firewall with ip6tables...
May 28 07:00:32 centos7 ip6tables.init: ip6tables: Applying firewall rules: [  OK  ]
May 28 07:00:32 centos7 systemd: Started IPv6 firewall with ip6tables.

To prevent it from recurring this, I thought about writing a script, automatically checking the IPtables service and restarting it if it didn’t run.

Script automatically restart IPtables service

script-automatically-restart-iptables-service-in-centos-7 Script automatically restart IPtables service in CentOS 7
Script automatically restart IPtables service in CentOS 7.

First, we will create a directory to contain the script and configuration files to use.

# mkdir /opt/scripts
# mkdir /opt/scripts/config

Set permission 700 for this folder to make sure other users cannot read it.

# chmod 700 /opt/scripts

Next, copy the current iptables configuration file to use it in the script.

# cp /etc/sysconfig/iptables /opt/scripts/config/

Now, create the script /opt/scripts/01-check-iptables.sh with the content below.

You see the PATH line at the beginning of the script. You can read this article to understand why it is needed. If that line is missing, the script will not work.

PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/user/.local/bin:/home/user/bin
#!/bin/bash
# Script use to check iptables running?
# If it not running, restart service iptables.

# Function get iptables status
f_iptables_status () {
	STATUS=`service iptables status | grep Active: | awk '{print $2}'`

	# If iptables status not equal "active"
	if [[ "$STATUS" != "active" ]]; then
		# Call function restart service iptables
		f_restart_iptables
	fi
}

# Function restart service iptables
f_restart_iptables () {
	FILE="/etc/sysconfig/iptables"
	
	# Check if iptables file not exist
	if [[ -f "$FILE" ]]; then
		service iptables restart
	# If iptables file not exist, copy from /opt/scripts/config/iptables to start service
	else
		cp /opt/scripts/config/iptables /etc/sysconfig/iptables
		service iptables restart
	fi
}

# Function main
f_main () {
	f_iptables_status
}
f_main

exit

You can download the script at this link.

The script has 2 functions as follows.

  • f_iptables_status: get the status of IPtables, if it is not active then call the function f_restart_iptables.
  • f_restart_iptables: check if there is an iptables configuration file, restart the service. If there is no configuration file, copy it from the config directory (we created above) and restart the IPtables service.

Set crontab for script

Now, type the following command to create a new crontab.

# crontab -e

Copy below line to crontab file. This script executes once every minute. That is, every minute it will check the IPtables service and restart if it does not run.

*/1 * * * * /usr/bin/bash /opt/scripts/01-check-iptables.sh

Check if the script works

Now, you can stop the IPtables service and see if the script works as expected.

Also, you can check the log file to see if crontab works. It’s look like this.

Jun  3 15:18:01 centos7 CROND[19878]: (root) CMD (/usr/bin/bash /opt/scripts/01-check-iptables.sh)
Jun  3 15:19:01 centos7 CROND[20776]: (root) CMD (/usr/bin/bash /opt/scripts/01-check-iptables.sh)

Conclusion

This script is quite simple. Its operating principle is also very simple. Every minute, it checks whether the IPtables service is running. If it doesn’t, restart the service to make sure the server is secure.

One thing to keep in mind, you should note that the IPtables file is correctly configured. Because if it is configured incorrectly, restarting it automatically may accidentally block you.

If you liked this article, then please subscribe to our YouTube Channel for more video tutorials. You can also find us on Twitter and Facebook.


Share this post to your friends !
If you appreciate what we share in this blog, you can support us by:
  1. Stay connected to: Facebook | Twitter | Google Plus | YouTube
  2. Subscribe email to recieve new posts from us: Sign up now.
  3. Start your own blog with SSD VPS - Free Let's Encrypt SSL ($2.5/month).
  4. Become a Supporter - Make a contribution via PayPal.
  5. Support us by purchasing Ribbon Lite Child theme being using on this website.

We are thankful for your support.

single post bottom banner
«« »»

Got something to say? Join the discussion

Please keep in mind that all comments are subject to our Comment Policy. Your email address will not be published.
This site uses Akismet to reduce spam. Learn how your comment data is processed.