Skip to main content

Example Scripts

The agent executes your scripts — you decide what happens when an IP is whitelisted or revoked. Below are ready-to-use examples for common setups.

Script contract

Every script receives two arguments:

  • $1 (bash) / $args[0] (PowerShell) — The CIDR to apply or revoke (e.g., 203.0.113.50/32)
  • $2 (bash) / $args[1] (PowerShell) — A description string (e.g., EntryGuard session abc-123)

Exit code 0 means success. Any other exit code means failure. All stdout/stderr output is captured and sent back to EntryGuard for troubleshooting.

UFW

/etc/eg-agent/scripts/apply.sh
#!/bin/bash
set -euo pipefail
CIDR="$1"
DESC="${2:-entryguard}"

ufw allow from "$CIDR" to any port 443 comment "entryguard: $DESC"
echo "Allowed $CIDR on port 443"
/etc/eg-agent/scripts/revoke.sh
#!/bin/bash
set -euo pipefail
CIDR="$1"

ufw delete allow from "$CIDR" to any port 443 || true
echo "Revoked $CIDR on port 443"

iptables

/etc/eg-agent/scripts/apply.sh
#!/bin/bash
set -euo pipefail
CIDR="$1"
DESC="${2:-entryguard}"

iptables -A INPUT -s "$CIDR" -p tcp --dport 443 -m comment --comment "entryguard: $DESC" -j ACCEPT
echo "Added iptables rule for $CIDR on port 443"
/etc/eg-agent/scripts/revoke.sh
#!/bin/bash
set -euo pipefail
CIDR="$1"

while iptables -D INPUT -s "$CIDR" -p tcp --dport 443 -j ACCEPT 2>/dev/null; do
    true
done
echo "Removed iptables rules for $CIDR on port 443"

nginx Allowlist

Manages a file of allow directives that you include in your nginx config.

/etc/eg-agent/scripts/apply.sh
#!/bin/bash
set -euo pipefail
CIDR="$1"
ALLOWLIST="/etc/nginx/conf.d/entryguard-allowlist.conf"

if ! grep -q "allow $CIDR;" "$ALLOWLIST" 2>/dev/null; then
    echo "allow $CIDR;" >> "$ALLOWLIST"
    nginx -t && nginx -s reload
    echo "Added $CIDR to nginx allowlist"
else
    echo "$CIDR already in nginx allowlist"
fi
/etc/eg-agent/scripts/revoke.sh
#!/bin/bash
set -euo pipefail
CIDR="$1"
ALLOWLIST="/etc/nginx/conf.d/entryguard-allowlist.conf"

if [ -f "$ALLOWLIST" ]; then
    sed -i "/allow ${CIDR//\//\\/};/d" "$ALLOWLIST"
    nginx -t && nginx -s reload
    echo "Removed $CIDR from nginx allowlist"
else
    echo "Allowlist file not found, nothing to revoke"
fi

In your nginx server block, include the allowlist:

location /admin {
    include /etc/nginx/conf.d/entryguard-allowlist.conf;
    deny all;
    # ...
}

Multi-Port / Custom Logic

Scripts can do anything. Here's an example that whitelists across multiple ports:

/etc/eg-agent/scripts/apply.sh
#!/bin/bash
set -euo pipefail
CIDR="$1"

for PORT in 22 443 8080; do
    ufw allow from "$CIDR" to any port "$PORT" comment "entryguard"
done
echo "Allowed $CIDR on ports 22, 443, 8080"
/etc/eg-agent/scripts/revoke.sh
#!/bin/bash
set -euo pipefail
CIDR="$1"

for PORT in 22 443 8080; do
    ufw delete allow from "$CIDR" to any port "$PORT" || true
done
echo "Revoked $CIDR on ports 22, 443, 8080"

Windows Firewall

Uses New-NetFirewallRule / Remove-NetFirewallRule to manage inbound rules. Rules are named EntryGuard-<CIDR> for easy identification.

C:\eg-agent\scripts\apply.ps1
param(
    [Parameter(Mandatory=$true)][string]$CIDR,
    [string]$Description = "entryguard"
)

$ErrorActionPreference = "Stop"
$RuleName = "EntryGuard-$CIDR"

# Remove existing rule if present (idempotent)
$existing = Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue
if ($existing) {
    Remove-NetFirewallRule -DisplayName $RuleName
}

New-NetFirewallRule `
    -DisplayName $RuleName `
    -Description $Description `
    -Direction Inbound `
    -Action Allow `
    -Protocol TCP `
    -LocalPort 443 `
    -RemoteAddress $CIDR `
    -Profile Any

Write-Output "Allowed $CIDR on port 443 (rule: $RuleName)"
C:\eg-agent\scripts\revoke.ps1
param(
    [Parameter(Mandatory=$true)][string]$CIDR,
    [string]$Description = "entryguard"
)

$ErrorActionPreference = "Stop"
$RuleName = "EntryGuard-$CIDR"

$existing = Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue
if ($existing) {
    Remove-NetFirewallRule -DisplayName $RuleName
    Write-Output "Revoked $CIDR (removed rule: $RuleName)"
} else {
    Write-Output "Rule $RuleName not found, nothing to revoke"
}

Windows Firewall (Multi-Port)

Whitelist across multiple ports on Windows:

C:\eg-agent\scripts\apply.ps1
param(
    [Parameter(Mandatory=$true)][string]$CIDR,
    [string]$Description = "entryguard"
)

$ErrorActionPreference = "Stop"
$Ports = @(22, 443, 3389)

foreach ($Port in $Ports) {
    $RuleName = "EntryGuard-${CIDR}-${Port}"
    $existing = Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue
    if ($existing) {
        Remove-NetFirewallRule -DisplayName $RuleName
    }
    New-NetFirewallRule `
        -DisplayName $RuleName `
        -Description $Description `
        -Direction Inbound `
        -Action Allow `
        -Protocol TCP `
        -LocalPort $Port `
        -RemoteAddress $CIDR `
        -Profile Any
}

Write-Output "Allowed $CIDR on ports $($Ports -join ', ')"
C:\eg-agent\scripts\revoke.ps1
param(
    [Parameter(Mandatory=$true)][string]$CIDR,
    [string]$Description = "entryguard"
)

$ErrorActionPreference = "Stop"
$Ports = @(22, 443, 3389)

foreach ($Port in $Ports) {
    $RuleName = "EntryGuard-${CIDR}-${Port}"
    $existing = Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue
    if ($existing) {
        Remove-NetFirewallRule -DisplayName $RuleName
    }
}

Write-Output "Revoked $CIDR on ports $($Ports -join ', ')"

MikroTik (RouterOS 7+)

Uses the MikroTik REST API to manage an address list. The agent must be able to reach the router's API (typically on the same LAN). Requires RouterOS 7.1+ with the REST API enabled.

Prerequisites:

  1. Enable the REST API on your MikroTik: /ip/service set www-ssl disabled=no
  2. Create a dedicated user with limited permissions: /user add name=entryguard password=YOUR_PASSWORD group=write
  3. Install curl on the machine running the agent

Configure the router address and credentials in the scripts:

/etc/eg-agent/scripts/apply.sh
#!/bin/bash
set -euo pipefail
CIDR="$1"
DESC="${2:-entryguard}"

# MikroTik connection settings
ROUTER="https://192.168.1.1"
USER="entryguard"
PASS="YOUR_PASSWORD"
LIST="entryguard-allowed"

# Extract IP from CIDR (MikroTik address-list uses address, not CIDR for /32)
ADDRESS="$CIDR"

# Check if already exists
EXISTING=$(curl -sk -u "$USER:$PASS" \
  "$ROUTER/rest/ip/firewall/address-list?list=$LIST&address=$ADDRESS" \
  2>/dev/null | grep -c '"address"' || true)

if [ "$EXISTING" -gt 0 ]; then
    echo "$ADDRESS already in address list $LIST"
    exit 0
fi

# Add to address list
curl -sk -u "$USER:$PASS" \
  -X PUT "$ROUTER/rest/ip/firewall/address-list" \
  -H "Content-Type: application/json" \
  -d "{\"list\":\"$LIST\",\"address\":\"$ADDRESS\",\"comment\":\"$DESC\"}"

echo "Added $ADDRESS to MikroTik address list $LIST"
/etc/eg-agent/scripts/revoke.sh
#!/bin/bash
set -euo pipefail
CIDR="$1"

# MikroTik connection settings
ROUTER="https://192.168.1.1"
USER="entryguard"
PASS="YOUR_PASSWORD"
LIST="entryguard-allowed"

ADDRESS="$CIDR"

# Find the entry ID
ENTRY_ID=$(curl -sk -u "$USER:$PASS" \
  "$ROUTER/rest/ip/firewall/address-list?list=$LIST&address=$ADDRESS" \
  2>/dev/null | grep -o '"\.id":"[^"]*"' | head -1 | cut -d'"' -f4)

if [ -z "$ENTRY_ID" ]; then
    echo "$ADDRESS not found in address list $LIST, nothing to revoke"
    exit 0
fi

# Remove from address list
curl -sk -u "$USER:$PASS" \
  -X DELETE "$ROUTER/rest/ip/firewall/address-list/$ENTRY_ID"

echo "Removed $ADDRESS from MikroTik address list $LIST"

Then in your MikroTik firewall, reference the address list:

/ip firewall filter
add chain=forward src-address-list=entryguard-allowed action=accept comment="EntryGuard allowed IPs"
add chain=forward action=drop comment="Drop all other traffic"
Security

Keep the MikroTik API on the LAN only — never expose it to the internet. The agent runs inside your network and connects to the router locally. EntryGuard never sees your router credentials.

Writing Your Own

Tips for writing reliable scripts:

  • Fail fast — Use set -euo pipefail (bash) or $ErrorActionPreference = "Stop" (PowerShell)
  • Make apply idempotent — running twice with the same CIDR should not create duplicate rules
  • Make revoke safe — revoking a CIDR that isn't present should not fail (use || true or -ErrorAction SilentlyContinue where appropriate)
  • Print what you did — output is shown in EntryGuard for troubleshooting
  • Test manually first — run bash apply.sh 203.0.113.50/32 "test" or .\apply.ps1 -CIDR 203.0.113.50/32 -Description "test" before connecting the agent
  • Keep scripts simple — one concern per script, easy to audit