LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-07-2007, 02:56 PM   #1
Elomis
Member
 
Registered: Dec 2004
Location: Sydney
Distribution: SUSE
Posts: 89

Rep: Reputation: 15
Iptables - external file of bad IPs


Hi Guys,
Is it possible to point IPtables to an external file of denied IPs? There's a bunch of high quality lists freely available on the internet of IPs owned by spammers, record companies and the other of the internet's nasties, and I'd like to be able to tell IPtables that these people are undesirable without having to do 50,000 iptables -A INPUT -s {nextipinlist}
 
Old 02-07-2007, 03:40 PM   #2
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
For my script I just used this little bit of code that reads a text file and automatically makes the rules to suit. You need to have at least one entry otherwise you will get errors if it tries to add a rule with no source address.

Code:
BLOCKED_IP="/etc/ipblock"
if [ -f $BLOCKED_IP ]; then
	while read BLOCKED; do
		$IPTABLES -A INPUT -i eth0 -s $BLOCKED -j DROP
		$IPTABLES -A OUTPUT -o eth0 -d $BLOCKED -j DROP
	done < $BLOCKED_IP
fi
 
Old 02-07-2007, 04:02 PM   #3
Elomis
Member
 
Registered: Dec 2004
Location: Sydney
Distribution: SUSE
Posts: 89

Original Poster
Rep: Reputation: 15
Ooh. Good idea. Pity it can't be modular in that it can point to the file which I can then update, but I guess I am asking too much from a simple firwall implementatin.

Thanks.
 
Old 02-07-2007, 04:18 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
My usual bit on the subject: Allow only the subnets that really need access. Deny everything else by default.
 
Old 02-10-2007, 10:27 PM   #5
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
Quote:
Originally Posted by Elomis
Ooh. Good idea. Pity it can't be modular in that it can point to the file which I can then update, but I guess I am asking too much from a simple firwall implementatin.

Thanks.

You can point it to any file that you want and you can update the file with new entries one per line, the only thing is you would need to reload the script to re-read and add rules to it.

Or you could create a cron job that runs a script to update and read your file for you and add the rules on the fly. All rules that you add with show if you use iptables-L, so you could have the script check the /etc/ipblock for entries and then check then against the current rules.

This way you could have them block the instant the rule applies, rather than having to reload the iptables script all the time. Just put together a little scipt that seems to work, although I haven't tested it extensively, you could also expand the script to check your log files as well and add entries from any host doing things they shouldn't be doing.

Code:
#!/bin/bash

BLOCK_LIST=`cat /etc/ipblock`
CURRENT_RULES=`iptables -L`
IPTABLES=`whereis iptables | awk '{print $2}'`

for ENTRIES in $BLOCK_LIST; do
	SUCCESS=0
	grep "$ENTRIES" "$CURRENT_RULES"
		if [ ! "$?" = "$SUCCESS" ]; then # if the rule is not found, add it
			$IPTABLES -I INPUT -i eth0 -s $ENTRIES -j DROP
			$IPTABLES -I OUTPUT -o eth0 -d $ENTRIES -j DROP
		fi
done
Using the -I (insert) rather than the -A (append) in the rule will place it at the the top, this makes sure you will get the drop rule first.

Last edited by fotoguy; 02-10-2007 at 10:28 PM.
 
Old 05-20-2009, 04:36 AM   #6
Dave_Devnull
Member
 
Registered: May 2009
Posts: 142

Rep: Reputation: 24
I stumbled accross this whilst looking for a way to populate bad IP's into an existing iptables. I appreciate the thread is old but still hits the top of the searches.

The above example bombs out with errors on my bash version, and lacks a few basics like allowing comments in the list and checking the file even exists. It also overlooks the possibility of single, CIDR and ranges in the list. Hopefully this version may help anyone who needs it;

Code:
#!/bin/bash
#
# assumes that the IP addresses you wish to block are put in file /etc/firewall.blocks
# this file can contain comments starting with ; or #
# but these must not be included on the end of IP addresses
# #comment allowed
# ;comment allowed
# 192.168.1.2 ;NOT ALLOWED
# 192.168.1.2 #NOT ALLOWED
# firewall blocks can be single IP, CIDR, or a RANGE
# 192.168.1.1
# 192.168.1.0/24
# 192.168.1.1-192.168.1.10
#
BLOCK_LIST=/etc/firewall.blocks
if [ ! -f $BLOCK_LIST ]
        then
                echo "Unable to add blocks to IPTABLES because file $BLOCK_LIST is missing"
                exit
        fi
CURRENT_RULES=`iptables -nL`

while read entries ;do
        # skip comment lines starting with ; or #
        case $entries in
                \#*|\;*)
                continue
                ;;
        esac

        if [[ $CURRENT_RULES =~ $entries ]]
        then
                printf "%-20s %20s\n" $entries 'already referenced in iptable - skipping'
                else
                # is this CIDR, range or single IP?
                        if [[ $entries =~ "-" ]]
                        then
                        #--src-range
                        printf "%-20s %20s %1s %1s\n" 'ADDING RULE:' 'iptables -A INPUT --src-range' $entries '-j DROP'
                        iptables -A INPUT --src-range $entries -j DROP
                        else
                        #--CIDR or single
                        printf "%-20s %20s %1s %1s\n" 'ADDING RULE:' 'iptables -A INPUT -s' $entries '-j DROP'
                        iptables -A INPUT -s $entries -j DROP
                        fi
                fi
done < $BLOCK_LIST
Not all IPTABLES support the --src-range and may STB if used. If you see errors like;

Code:
iptables v1.4.0: Unknown arg `--src-range'
Then use single or CIDR instead. Script is then modified to this shorter version


Code:
#!/bin/bash
#
# assumes that the IP addresses you wish to block are put in file /etc/firewall.blocks
# this file can contain comments starting with ; or #
# but these must not be included on the end of IP addresses
# #comment allowed
# ;comment allowed
# 192.168.1.2 ;NOT ALLOWED
# 192.168.1.2 #NOT ALLOWED
# firewall blocks can be single IP OR CIDR
# 192.168.1.1
# 192.168.1.0/24
#
BLOCK_LIST=/etc/firewall.blocks
if [ ! -f $BLOCK_LIST ]
        then
                echo "Unable to add blocks to IPTABLES because file $BLOCK_LIST is missing"
                exit
        fi
CURRENT_RULES=`iptables -nL`

while read entries ;do
        # skip comment lines starting with ; or #
        case $entries in
                \#*|\;*)
                continue
                ;;
        esac

                if [[ $CURRENT_RULES =~ $entries ]]
                then
                printf "%-20s %20s\n" $entries 'already referenced in iptable - skipping'
                else
                printf "%-20s %20s %1s %1s\n" 'ADDING RULE:' 'iptables -A FIREWALL -s' $entries '-j DROP'
                iptables -A FIREWALL -s $entries -j DROP
                fi
done < $BLOCK_LIST

Last edited by Dave_Devnull; 05-20-2009 at 05:33 AM. Reason: typo
 
Old 04-18-2013, 04:44 PM   #7
pmol123
LQ Newbie
 
Registered: Apr 2013
Location: Southlake, TX
Posts: 1

Rep: Reputation: Disabled
Script I use to update IPtables in real time.

This morning I woke up to find that was getting a Denial Of Service (DOS) attack from Russia. They were hitting me from dozens of IP blocks. They must have either had a large pool of IPs or some sort of proxy list/service. Every time I blocked an IP, another one popped up. Finally, I looked for a script, and found I needed to write my own solution. The following is a bit agressive, but they were running my TOP LOAD LEVEL to over 200.

Here is a quick script I wrote to block the DOS in realtime.

PHP Code:
cat  <output of the logs> | php ipchains.php <something unique in the logs
PHP Code:

PHP Code:
<?php

//*****************
//*** ipchains.php
//*****************

$ip_arr = array();

while(
1)
{
   
$line trim(fgets(STDIN)); // reads one line from STDIN
   
$ip trimstrtok$line" ") );

   if( !
array_key_exists$ip$ip_arr ) )
      
$ip_arr[$ip] = 0;

   
$regex sprintf"/%s/"$argv[1] );

   
$cnt preg_match_all$regex$line );

   if( 
$cnt ) continue;

   
$ip_arr[$ip] += 1;

   if( 
$ip_arr[$ip] == 1  )
     {
//     printf( "%s\n", $argv[1] );
//     printf( "%d\n", $cnt );
//     printf( "%s\n", $line );

       
printf"-A BLOCK1 -s %s/24 -j DROP\n"$ip );

       
$cmd sprintf"/sbin/iptables  -I BLOCK1  -d %s/24 -j DROP"$ip );
       
system$cmd );
     }
}


?>
Assumptions:
1) BLOCK1 is a Chain already created.
2) BLOCK1 is a Chain that is run/called from the INPUT CHAIN
3) Periodically you will need to run "ipchains -S BLOCK1" and put output in /etc/sysconfig file.
4) You are familiar with PHP
5) You understand web log line items/fields and output.


Patrick
http://www.ExpertWitness.com

Last edited by pmol123; 04-18-2013 at 05:17 PM.
 
Old 04-18-2013, 08:04 PM   #8
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,246

Rep: Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025Reputation: 2025
You could use fail2ban http://linux.die.net/man/8/fail2ban to dynamically+automatically update the list on an address-by-address basis.
For sets of ipaddresses, see ipset http://www.linuxjournal.com/content/...urations-ipset
 
  


Reply

Tags
external, files, iptables, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple External IPs with iptables tvynr Linux - Networking 11 11-08-2005 02:31 PM
Question about iptables and multiple external IPs tvynr Linux - Networking 2 10-12-2005 07:48 PM
dhcp and multiple external IPs inc0gs Linux - Networking 4 06-15-2005 02:27 PM
how to define a specific range of IPs and/or multiple IPs in an iptables rule?... TheHellsMaster Linux - Security 9 09-20-2004 10:06 AM
Problem accessing external IPs kevin_5050 Linux - Networking 7 02-08-2001 08:46 AM


All times are GMT -5. The time now is 08:25 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration