LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Programming (http://www.linuxquestions.org/questions/programming-9/)
-   -   Iptables script with for condition (http://www.linuxquestions.org/questions/programming-9/iptables-script-with-for-condition-804805/)

Ronin_tekorei 04-28-2010 02:22 PM

Iptables script with for condition
 
Hello to all my good friends, i have a question regarding the use of a statement, like following, in a iptables script.
Code:

BLOCKMAC=”/root/mac.blocked”
MACS=$(grep -Ev "^#" $BLOCKMAC)
for i in $MACS
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done

My concern is that iptables rules are checked in line for every package, so if i make a script like this:
Code:

iptables -F
iptables -t filter -F
iptables -t nat -F
iptables -t filter -X
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

BLOCKMAC=”/firewall/mac.blocked”
MACS=$(grep -Ev "^#" $BLOCKMAC)
for i in $MACS
do
  iptables -A INPUT -s $i -j DROP
  iptables -A OUTPUT -d $i -j DROP
done

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

## And some other rules....

The "for" condition will apply for the mac's that are sending a package every time? or just one time?

I need a scrip that checks every package, every time they get in to the router, and then follow all the other rules that are out of the "for" condition.

I have no experience in advance shell programing :confused:

Can someone help me please :D

rweaver 04-28-2010 04:06 PM

First keep in mind, the "iptables script" runs and loads the iptables rules into a table that manages traffic... so--

this:
Code:

iptables -A INPUT -s 10.0.0.1 -j DROP
iptables -A OUTPUT -s 10.0.0.1 -j DROP
iptables -A INPUT -s 10.0.0.2 -j DROP
iptables -A OUTPUT -s 10.0.0.2 -j DROP
iptables -A INPUT -s 10.0.0.3 -j DROP
iptables -A OUTPUT -s 10.0.0.3 -j DROP

and this:
Code:

for i in $(seq 1 3); do
  iptables -A INPUT -s 10.0.0.$i -j DROP
  iptables -A OUTPUT -s 10.0.0.$i -j DROP
done

are exactly the same as far as iptables is concerned... both result in exactly the same ruleset that will function exactly the same:
Code:

Chain INPUT (policy ACCEPT)
target    prot opt source              destination
DROP      all  --  10.0.0.1            0.0.0.0/0
DROP      all  --  10.0.0.2            0.0.0.0/0
DROP      all  --  10.0.0.3            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
DROP      all  --  10.0.0.1            0.0.0.0/0
DROP      all  --  10.0.0.2            0.0.0.0/0
DROP      all  --  10.0.0.3            0.0.0.0/0

That being said, I'm not real clear on what your real question is. Also I think you mean "packet" not "package" and if memory serves me you can't use a MAC address with -s / -d alone you need to use "--mac-source HX:HX:HX:HX:HX:HX" and I doubt in most cases that is what you really want. You could also shorten your for loop a bit..

Code:

BLOCKMAC=”/firewall/mac.blocked”
for i in $(grep -Ev "^#" $BLOCKMAC)
do
  blah blah blah
done

or even
Code:

for i in $(grep -Ev "^#" /firewall/mac.blocked)
do
  blah blah blah
done

(you also don't need to specify -E in this instance on any linux I've used, now if you're doing this on a sun or irix, maybe... you might also want to remove the pattern ^$ which is "blank line" which you could do by piping the output back to grep-- ala "grep -v ^# /firewall/mac.blocked | grep -v ^$" )

Ronin_tekorei 04-28-2010 04:44 PM

Wow! thanks a lot! You have clear my doubts.

And my question was if the "for" would load sequentially all the rules for each mac address or ip.

You have make it all clear for me.

Thanks.


All times are GMT -5. The time now is 12:40 AM.