An interactive and secure Bash script to harden Iranian servers by strictly controlling which IPs and ports are allowed — ideal for tunneling setups.
✅ Tailored for tunnels like Rathole v2, Backhaul, Xray, or private proxy systems.
- ❌ Block all traffic (inbound & outbound) by default
- 🌍 Allow only specific ports from a foreign (non-Iranian) server IP
- 🔕 Disable ICMP (ping) to avoid discovery
- 💾 Auto-save rules via
iptables-persistent - 🔁 One-click reset to default open state
- 📱 Interactive emoji-powered menu — no manual editing
- 🔐 TCP / UDP / Both rule support
- 🧠 Remembers last used IP & ports
- 🧪 Ping test to verify foreign IP reachability
- 📋 View open ports and allowed IPs
- ✅ All interactive — no manual iptables usage required
Install the latest enhanced version (v2):
bash <(curl -Ls https://raw.githubusercontent.com/power0matin/Iran-Firewall-Manager/main/firewall-manager-v2.sh)✅ Includes full menu, UDP support, persistent config, and port visibility.
For the original minimal script:
bash <(curl -Ls https://raw.githubusercontent.com/power0matin/Iran-Firewall-Manager/main/firewall-manager.sh)
⚠️ No menu, memory, or advanced options.
[*] Installing iptables-persistent...
[*] Flushing existing firewall rules...
[*] Allowing localhost traffic...
[*] Allowing SSH on port 22...
[*] Applying rules for IP 1.2.3.4 and allowed ports...
- Allowing TCP port 443 from 1.2.3.4
- Allowing UDP port 443 from 1.2.3.4
[*] Setting default policy to DROP...
[*] Disabling ICMP echo (ping)...
[*] Saving iptables rules...
[✅] Firewall rules applied successfully.====== Firewall Management Menu ======
1) Apply secure firewall restrictions
2) Reset firewall to open state
3) Show currently open ports
4) Enable secure mode (allow only selected IP and ports)
0) Exit
🛑 Double-check the IP before applying rules — wrong IP may lock you out via SSH. 🧠 If you need DNS/NTP or other system ports, add them manually:
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # DNS
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT # NTP📡 UDP is fully supported in interactive mode. Choose
TCP,UDP, orBoth.
| Phase | Status | 🔧 Planned Features | ✅ Details |
|---|---|---|---|
| 🟢 Phase 1 | ✅ Complete | 🔒 Basic TCP rules 🌐 IP allowlist 🚫 Default deny |
Base implementation, save support, basic menu |
| 🟡 Phase 2 | 🔛 Current | 📱 Menu rework 📦 UDP support 🧠 Config memory 🖥️ Port visibility |
Full rework with usability in mind |
| 🟠 Phase 3 | 🔜 Soon | ⏱️ Auto-revert fail-safe 🧪 Config profiles 🌗 Day/Night modes |
Prevent lockout, switch between profiles, time-based policies |
| 🔵 Phase 4 | ⏳ Planned | 🌍 GeoIP blocking 📅 Cron apply/reset 💬 Language menu (EN/FA) |
Auto-rules by schedule and region, multilingual |
| 🟣 Phase 5 | 🧠 Advanced | 📊 Traffic monitor 🚨 Telegram alerts 📥 External logging |
Monitor usage, notify intrusions, log centralization |
| 🟤 Phase 6 | 🧪 Future | 🐳 Docker-aware firewall 🔗 API interface 👥 Multi-admin logs/audits |
Integration with containers and dashboards |
🔧 Current Phase:
Phase 2— usability improvements, UDP support, and config memory. 💡 Got a feature idea? Open an Issue
- ✅ Ubuntu or Debian-based system
- 🧑💻 Root privileges
- 📦
iptables,iptables-persistent(auto-installed)
- Ubuntu 20.04 / 22.04
- Debian 11 / 12
- VPS: KVM, NAT, OpenVZ (IPv4 only)
MIT License — free for personal and commercial use.
Built with ❤️ by power0matin ⭐ If you find it useful, please star the repo and share it 🙌
Matin Shahabadi (متین شاهآبادی / متین شاه آبادی)
- Website: matinshahabadi.ir
- Email: me@matinshahabadi.ir
- GitHub: power0matin
- LinkedIn: matin-shahabadi