Iptables - external file of bad IPs
Hi Guys,
Is it possible to point IPtables to an external file of denied IPs? There's a bunch of high quality lists freely available on the internet of IPs owned by spammers, record companies and the other of the internet's nasties, and I'd like to be able to tell IPtables that these people are undesirable without having to do 50,000 iptables -A INPUT -s {nextipinlist} |
For my script I just used this little bit of code that reads a text file and automatically makes the rules to suit. You need to have at least one entry otherwise you will get errors if it tries to add a rule with no source address.
Code:
BLOCKED_IP="/etc/ipblock" |
Ooh. Good idea. Pity it can't be modular in that it can point to the file which I can then update, but I guess I am asking too much from a simple firwall implementatin.
Thanks. |
My usual bit on the subject: Allow only the subnets that really need access. Deny everything else by default.
|
Quote:
You can point it to any file that you want and you can update the file with new entries one per line, the only thing is you would need to reload the script to re-read and add rules to it. Or you could create a cron job that runs a script to update and read your file for you and add the rules on the fly. All rules that you add with show if you use iptables-L, so you could have the script check the /etc/ipblock for entries and then check then against the current rules. This way you could have them block the instant the rule applies, rather than having to reload the iptables script all the time. Just put together a little scipt that seems to work, although I haven't tested it extensively, you could also expand the script to check your log files as well and add entries from any host doing things they shouldn't be doing. Code:
#!/bin/bash |
I stumbled accross this whilst looking for a way to populate bad IP's into an existing iptables. I appreciate the thread is old but still hits the top of the searches.
The above example bombs out with errors on my bash version, and lacks a few basics like allowing comments in the list and checking the file even exists. It also overlooks the possibility of single, CIDR and ranges in the list. Hopefully this version may help anyone who needs it; Code:
#!/bin/bash Code:
iptables v1.4.0: Unknown arg `--src-range' Code:
#!/bin/bash |
Script I use to update IPtables in real time.
This morning I woke up to find that was getting a Denial Of Service (DOS) attack from Russia. They were hitting me from dozens of IP blocks. They must have either had a large pool of IPs or some sort of proxy list/service. Every time I blocked an IP, another one popped up. Finally, I looked for a script, and found I needed to write my own solution. The following is a bit agressive, but they were running my TOP LOAD LEVEL to over 200.
Here is a quick script I wrote to block the DOS in realtime. PHP Code:
PHP Code:
1) BLOCK1 is a Chain already created. 2) BLOCK1 is a Chain that is run/called from the INPUT CHAIN 3) Periodically you will need to run "ipchains -S BLOCK1" and put output in /etc/sysconfig file. 4) You are familiar with PHP 5) You understand web log line items/fields and output. Patrick http://www.ExpertWitness.com |
You could use fail2ban http://linux.die.net/man/8/fail2ban to dynamically+automatically update the list on an address-by-address basis.
For sets of ipaddresses, see ipset http://www.linuxjournal.com/content/...urations-ipset |
All times are GMT -5. The time now is 08:48 AM. |