HI,

I need help to write a script for iptables. i have list of src ip address in seperate file to which i want to allow Internet. but when i remove the particular ip address from the file i need to restart the iptables and due to this all sessions are disconnected. this makes problem when a user is downloading a large file.

I need a script that will delete/add ip address in rules.



thanks.

Here's the way I do it; feel free to modify as needed.
where the list of ranges look like
and the output looks like
I
Then, as root
and that's that.

Because the purpose is blocking the network range and the subnets (you get that information from whois) and this gets executed at boot it may not fit your exact need for on-the-fly editing of IPTABLES, but it may give you a start.

An alternative is to think about /etc/hosts.deny and /etc/hosts.allow (which you can edit simply with sed). Simple, one-line entries for a single IP address in those are fast and effective for dynamic access; /etc/hosts.deny entries look like this
Hope this helps some.

I don't want to deny that your post was an interesting read, but the OP seems to have been asking for something rather different; the request seems roughly to be for a system which can dynamically add to a whitelist, rather than manage a large-ish blacklist.

Of course, I'm going to add my two-penny worth by not giving the OP a directly usable approach, either

Firstly, the problem with a lot of these whitelist/blacklist approaches is that it easy to build-in a need to do lots of look-ups whenever a new connection comes in, and that way build in a vulnerability to DoS/DDoS attacks. This is not a good thing and needs to be examined in context to see how serious it could be. Having said that, something like denyhosts seems to take a broadly sensible approach (but is intended for blocking the outside world trying to get in, rather than the other way around).

What the OP is asking for, in most cases (and there will be cases in which this won't work, but we don't have details) is dealt with by allowing addresses or address ranges; this does not need any dynamic building of lists of allowable addresses for internet access (eg, allowing 192.168.0.0/24), but it doesn't dynamically block any addresses in that range.

You have to ask 'What is the risk that I am trying to protect against?' It seems that this looser approach could allow someone within your own network to have internet access at a time at which you didn't want this to happen. Is this a big problem? (Maybe, it is if you know that you have to have insecure wireless within your network, that outsiders can access.)

I think if I just wanted to allow groups within my organisation to have access at certain times and not at others, I'd be using squid for access control (and using iptables to ensure that packets have to funnel through squid, rather than be able to go around squid by fiddling with network settings).

@Ammad
Do you really mean that you want to block all internet access, or just HTTP/HTTPS, and FTP, for example?

I want to block Internet for all users, except allowed list, (still 100+ users out of 1000).

also i want to block songs/video streaming. if you have any idea to stop this using iptables, please suggest.


thanks