LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (https://www.linuxquestions.org/questions/programming-9/)
-   -   iptables bash script to add offending ip's to temporary chain (https://www.linuxquestions.org/questions/programming-9/iptables-bash-script-to-add-offending-ips-to-temporary-chain-611994/)

NinjaGuru 01-08-2008 09:13 AM
iptables bash script to add offending ip's to temporary chain
 
Hi there all,

I have just setup a simple iptables firewall on one of my linux boxes. I have written a script that (hopefully does the following)

(I am quite new to bash scripting so please excue my attempt at this script)

Spec
1: Scan through my /etc/httpd/logs/access_log (apache log)
2: Filter out a particular pattern
3: output the filtered ip addresses to a text file
4: sort the text file removing duplicate entries
5: Flush iptables
6: Add the sorted / filtered ip addresses to ip tables
7: Timestamp the last time this script was run

As I rotate my access_log every 24 hours offending IP's can probably get in after 24 hours which is fine.

I have written the following script however it does not seem to be working properly (I got some of the code after doing some google searches) is there anyone here who could perhaps guide me in the right direction

Code:
#!/bin/bash
#Setup some vars
MAILTO=myemail@address.com
BLOCK_LIST=`cat /etc/ipblock-uniq`
CURRENT_RULES=`iptables -L`
IPTABLES=`whereis iptables | awk '{print $2}'`
# 1st Flush Iptables
$IPTABLES --flush
# Search for the offending ip's in Access_log
cat /etc/httpd/logs/access_log | grep '"-" "-"' | awk '{print $1}'  > /etc/ipblock
# Remove duplicates
sort /etc/ipblock | uniq > /etc/ipblock-uniq

# This code is not working too well at the moment
for ENTRIES in $BLOCK_LIST; do
        SUCCESS=0
        grep "$ENTRIES" "$CURRENT_RULES"
                if [ ! "$?" = "$SUCCESS" ]; then # if the rule is not found, add it
                        $IPTABLES -I INPUT -i eth0 -s $ENTRIES -j DROP
                        $IPTABLES -I OUTPUT -o eth0 -d $ENTRIES -j DROP
                fi
done
# Remove certain IP's from accidental lockout
$IPTABLES -D OUTPUT -i eth0 -s 11.111.111.111 -j DROP
$IPTABLES -D OUTPUT -o eth0 -d 11.111.111.111 -j DROP
# View iptables
$IPTABLES -L -n -v
#Timestamp last action
date >/etc/potential-lastrun.log

NinjaGuru 01-08-2008 10:05 AM
I messed around with it a bit - I have managed to get it working now.

Here is my code - just in case the solution I came up with is not too elegant (I'm quite sure it is not!)


Code:
#!/bin/bash
#Setup some vars
MAILTO=myemail@address.com
BLOCK_LIST=`cat /etc/ipblock-uniq`
CURRENT_RULES=`iptables -L`
IPTABLES=`whereis iptables | awk '{print $2}'`
# 1st Flush Iptables
$IPTABLES --flush
# Search for the offending ip's in Access_log
cat /etc/httpd/logs/access_log | grep '"-" "-"' | awk '{print $1}'  > /etc/ipblock
# Remove duplicates
sort /etc/ipblock | uniq > /etc/ipblock-uniq

# This code is now working
for ENTRIES in $BLOCK_LIST; do
        $IPTABLES -I INPUT -i eth0 -s $ENTRIES -j DROP
        $IPTABLES -I OUTPUT -o eth0 -d $ENTRIES -j DROP
done

# Remove certain IP's from accidental lockout
$IPTABLES -D OUTPUT -i eth0 -s 11.111.111.111 -j DROP
$IPTABLES -D OUTPUT -o eth0 -d 11.111.111.111 -j DROP
# View iptables
$IPTABLES -L -n -v
#Timestamp last action
date >/etc/potential-lastrun.log


All times are GMT -5. The time now is 04:38 AM.