Issue with iptables

SentralOrigin · 07-13-2007, 03:35 PM

I have a list of IPs that I want to block, so I made a script to use iptables to block them. The IP list is one IP per line and the file is named "newips". The script is named "ipblock.sh". Both are located in /home/oranges.

Code:

#!/bin/bash
for IP in `cat /home/oranges/newips`; do iptables -A INPUT -s $IP -j DROP; done

So I can the script by su'ing and then typed "sh /home/oranges/ipblock.sh", and the script runs, but for every IP on the list, I get this error:

Code:

' not found.3.5: host/network `##.##.##.##
Try `iptables -h' or 'iptables --help' for more information.

(Replace ##.##.##.## with IP address).

What could be the problem?

MensaWater · 07-13-2007, 03:53 PM

Your script worked for me when I did a test.

This suggests that one of the following is the issue:
A) You have something in the IP file other than IPs in the form ##.##.##.## (do you have quotes or tics in the file? Are you trying to append network with "/". If so you may need to escape or quote the "/" as it has special meaning to the shell.
B) iptables isn't on when you ran your script.

SentralOrigin · 07-13-2007, 04:00 PM

I've uploaded the file here so you can see for yourself. There's nothing wrong that I can see here, just IPs listed.

http://senduit.com/9bfa3e

MensaWater · 07-14-2007, 09:08 AM

3900 pages of IPs?!

Every packet you have would take forever to check all your rules!

What exactly are you trying to accomplish? That is I know you want to block these IPs but to what end? It seems you might be better off writing rules for the IPs you DO allow - OR block entire ranges (e.g. those assigned to specific countries) if you're trying to block hack attempts.

rupertwh · 07-14-2007, 10:11 AM

Hi,

apart from the fact that your list of ips is *huge* -- the problem you have is because that list is in DOS format, i.e. lines are terminated with \r\n instead of just \n.

So if you modify your script like

Code:

#!/bin/bash
for IP in `tr -d '\r' < /home/oranges/newips`; do iptables -A INPUT -s $IP -j DROP; done

it should work. But having 200000+ rules is probably not such a hot idea (don't know if it's possible at all to add that many rules).

If you really need to filter that many individual ips you probably want to at least do some cascading to substantially reduce the number of rules that have to be traversed for each packet.

MensaWater · 07-14-2007, 10:14 AM

or run dos2unix against the IP file before hand.

But again I really would not add this many lines to iptables (even if possible).

SentralOrigin · 07-14-2007, 03:42 PM

Thanks everyone.

Quote:

Originally Posted by jlightner

3900 pages of IPs?!

Every packet you have would take forever to check all your rules!

What exactly are you trying to accomplish? That is I know you want to block these IPs but to what end? It seems you might be better off writing rules for the IPs you DO allow - OR block entire ranges (e.g. those assigned to specific countries) if you're trying to block hack attempts.

I want to allow all IPs except those. I'm trying to block ads, porn, government IPs, spyware, etc. that might connect somehow (through browser, torrent client, programs, etc.)