LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 04-28-2010, 01:22 PM   #1
Ronin_tekorei
Member
 
Registered: May 2006
Distribution: Fedora
Posts: 57

Rep: Reputation: 15
Post Iptables script with for condition


Hello to all my good friends, i have a question regarding the use of a statement, like following, in a iptables script.
Code:
BLOCKMAC=”/root/mac.blocked”
MACS=$(grep -Ev "^#" $BLOCKMAC)
for i in $MACS
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done
My concern is that iptables rules are checked in line for every package, so if i make a script like this:
Code:
iptables -F
iptables -t filter -F
iptables -t nat -F
iptables -t filter -X
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

BLOCKMAC=”/firewall/mac.blocked”
MACS=$(grep -Ev "^#" $BLOCKMAC)
for i in $MACS
do
   iptables -A INPUT -s $i -j DROP
   iptables -A OUTPUT -d $i -j DROP
done

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

## And some other rules....
The "for" condition will apply for the mac's that are sending a package every time? or just one time?

I need a scrip that checks every package, every time they get in to the router, and then follow all the other rules that are out of the "for" condition.

I have no experience in advance shell programing

Can someone help me please

Last edited by Ronin_tekorei; 04-28-2010 at 01:24 PM.
 
Old 04-28-2010, 03:06 PM   #2
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
First keep in mind, the "iptables script" runs and loads the iptables rules into a table that manages traffic... so--

this:
Code:
iptables -A INPUT -s 10.0.0.1 -j DROP
iptables -A OUTPUT -s 10.0.0.1 -j DROP
iptables -A INPUT -s 10.0.0.2 -j DROP
iptables -A OUTPUT -s 10.0.0.2 -j DROP
iptables -A INPUT -s 10.0.0.3 -j DROP
iptables -A OUTPUT -s 10.0.0.3 -j DROP
and this:
Code:
for i in $(seq 1 3); do
  iptables -A INPUT -s 10.0.0.$i -j DROP
  iptables -A OUTPUT -s 10.0.0.$i -j DROP
done
are exactly the same as far as iptables is concerned... both result in exactly the same ruleset that will function exactly the same:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  10.0.0.1             0.0.0.0/0
DROP       all  --  10.0.0.2             0.0.0.0/0
DROP       all  --  10.0.0.3             0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  10.0.0.1             0.0.0.0/0
DROP       all  --  10.0.0.2             0.0.0.0/0
DROP       all  --  10.0.0.3             0.0.0.0/0
That being said, I'm not real clear on what your real question is. Also I think you mean "packet" not "package" and if memory serves me you can't use a MAC address with -s / -d alone you need to use "--mac-source HX:HX:HX:HX:HX:HX" and I doubt in most cases that is what you really want. You could also shorten your for loop a bit..

Code:
BLOCKMAC=”/firewall/mac.blocked”
for i in $(grep -Ev "^#" $BLOCKMAC)
do
   blah blah blah
done
or even
Code:
for i in $(grep -Ev "^#" /firewall/mac.blocked)
do
   blah blah blah
done
(you also don't need to specify -E in this instance on any linux I've used, now if you're doing this on a sun or irix, maybe... you might also want to remove the pattern ^$ which is "blank line" which you could do by piping the output back to grep-- ala "grep -v ^# /firewall/mac.blocked | grep -v ^$" )

Last edited by rweaver; 04-28-2010 at 03:23 PM.
 
1 members found this post helpful.
Old 04-28-2010, 03:44 PM   #3
Ronin_tekorei
Member
 
Registered: May 2006
Distribution: Fedora
Posts: 57

Original Poster
Rep: Reputation: 15
Wow! thanks a lot! You have clear my doubts.

And my question was if the "for" would load sequentially all the rules for each mac address or ip.

You have make it all clear for me.

Thanks.
 
  


Reply

Tags
bash, iptables, loop, scripting


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables-save, iptables-restore, how to set up them in some script sarajevo Linux - Networking 1 03-24-2008 11:39 PM
Script to change all the file's dates with condition ... ? raf_iso Programming 3 03-05-2008 09:30 AM
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 04:19 AM
If condition in script imsajjadali Red Hat 5 06-07-2004 06:52 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM


All times are GMT -5. The time now is 07:32 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration