LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-13-2007, 03:35 PM   #1
SentralOrigin
Member
 
Registered: Jul 2005
Distribution: Gentoo, Ubuntu
Posts: 318

Rep: Reputation: 30
Issue with iptables


I have a list of IPs that I want to block, so I made a script to use iptables to block them. The IP list is one IP per line and the file is named "newips". The script is named "ipblock.sh". Both are located in /home/oranges.

Code:
#!/bin/bash
for IP in `cat /home/oranges/newips`; do iptables -A INPUT -s $IP -j DROP; done
So I can the script by su'ing and then typed "sh /home/oranges/ipblock.sh", and the script runs, but for every IP on the list, I get this error:

Code:
' not found.3.5: host/network `##.##.##.##
Try `iptables -h' or 'iptables --help' for more information.
(Replace ##.##.##.## with IP address).

What could be the problem?
 
Old 07-13-2007, 03:53 PM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,995
Blog Entries: 5

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
Your script worked for me when I did a test.

This suggests that one of the following is the issue:
A) You have something in the IP file other than IPs in the form ##.##.##.## (do you have quotes or tics in the file? Are you trying to append network with "/". If so you may need to escape or quote the "/" as it has special meaning to the shell.
B) iptables isn't on when you ran your script.
 
Old 07-13-2007, 04:00 PM   #3
SentralOrigin
Member
 
Registered: Jul 2005
Distribution: Gentoo, Ubuntu
Posts: 318

Original Poster
Rep: Reputation: 30
I've uploaded the file here so you can see for yourself. There's nothing wrong that I can see here, just IPs listed.

http://senduit.com/9bfa3e

Last edited by SentralOrigin; 07-13-2007 at 04:56 PM.
 
Old 07-14-2007, 09:08 AM   #4
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,995
Blog Entries: 5

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
3900 pages of IPs?!

Every packet you have would take forever to check all your rules!

What exactly are you trying to accomplish? That is I know you want to block these IPs but to what end? It seems you might be better off writing rules for the IPs you DO allow - OR block entire ranges (e.g. those assigned to specific countries) if you're trying to block hack attempts.
 
Old 07-14-2007, 10:11 AM   #5
rupertwh
Member
 
Registered: Sep 2006
Location: Munich, Germany
Distribution: Debian / Ubuntu
Posts: 296

Rep: Reputation: 49
Hi,

apart from the fact that your list of ips is *huge* -- the problem you have is because that list is in DOS format, i.e. lines are terminated with \r\n instead of just \n.

So if you modify your script like
Code:
#!/bin/bash
for IP in `tr -d '\r' < /home/oranges/newips`; do iptables -A INPUT -s $IP -j DROP; done
it should work. But having 200000+ rules is probably not such a hot idea (don't know if it's possible at all to add that many rules).

If you really need to filter that many individual ips you probably want to at least do some cascading to substantially reduce the number of rules that have to be traversed for each packet.
 
Old 07-14-2007, 10:14 AM   #6
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,995
Blog Entries: 5

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
or run dos2unix against the IP file before hand.

But again I really would not add this many lines to iptables (even if possible).
 
Old 07-14-2007, 03:42 PM   #7
SentralOrigin
Member
 
Registered: Jul 2005
Distribution: Gentoo, Ubuntu
Posts: 318

Original Poster
Rep: Reputation: 30
Thanks everyone.

Quote:
Originally Posted by jlightner
3900 pages of IPs?!

Every packet you have would take forever to check all your rules!

What exactly are you trying to accomplish? That is I know you want to block these IPs but to what end? It seems you might be better off writing rules for the IPs you DO allow - OR block entire ranges (e.g. those assigned to specific countries) if you're trying to block hack attempts.
I want to allow all IPs except those. I'm trying to block ads, porn, government IPs, spyware, etc. that might connect somehow (through browser, torrent client, programs, etc.)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SMTP issue with iptables dragonleech Linux - Security 4 12-21-2005 10:46 AM
Strange IPTABLES issue TheLinuxDuck Linux - Security 5 04-27-2005 07:44 AM
iptables ssh issue computergeek84 Linux - Security 16 01-08-2004 12:15 PM
iptables issue rkemp Linux - Networking 3 11-29-2003 06:50 PM
iptables issue f1uke Linux - Security 3 08-11-2003 07:58 PM


All times are GMT -5. The time now is 03:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration