Iptables script with for condition

Ronin_tekorei · 04-28-2010, 01:22 PM

Hello to all my good friends, i have a question regarding the use of a statement, like following, in a iptables script.

Code:

BLOCKMAC=”/root/mac.blocked”
MACS=$(grep -Ev "^#" $BLOCKMAC)
for i in $MACS
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done

My concern is that iptables rules are checked in line for every package, so if i make a script like this:

Code:

iptables -F
iptables -t filter -F
iptables -t nat -F
iptables -t filter -X
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

BLOCKMAC=”/firewall/mac.blocked”
MACS=$(grep -Ev "^#" $BLOCKMAC)
for i in $MACS
do
   iptables -A INPUT -s $i -j DROP
   iptables -A OUTPUT -d $i -j DROP
done

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

## And some other rules....

The "for" condition will apply for the mac's that are sending a package every time? or just one time?

I need a scrip that checks every package, every time they get in to the router, and then follow all the other rules that are out of the "for" condition.

I have no experience in advance shell programing

Can someone help me please

rweaver · 04-28-2010, 03:06 PM

First keep in mind, the "iptables script" runs and loads the iptables rules into a table that manages traffic... so--

this:

Code:

iptables -A INPUT -s 10.0.0.1 -j DROP
iptables -A OUTPUT -s 10.0.0.1 -j DROP
iptables -A INPUT -s 10.0.0.2 -j DROP
iptables -A OUTPUT -s 10.0.0.2 -j DROP
iptables -A INPUT -s 10.0.0.3 -j DROP
iptables -A OUTPUT -s 10.0.0.3 -j DROP

and this:

Code:

for i in $(seq 1 3); do
  iptables -A INPUT -s 10.0.0.$i -j DROP
  iptables -A OUTPUT -s 10.0.0.$i -j DROP
done

are exactly the same as far as iptables is concerned... both result in exactly the same ruleset that will function exactly the same:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  10.0.0.1             0.0.0.0/0
DROP       all  --  10.0.0.2             0.0.0.0/0
DROP       all  --  10.0.0.3             0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  10.0.0.1             0.0.0.0/0
DROP       all  --  10.0.0.2             0.0.0.0/0
DROP       all  --  10.0.0.3             0.0.0.0/0

That being said, I'm not real clear on what your real question is. Also I think you mean "packet" not "package" and if memory serves me you can't use a MAC address with -s / -d alone you need to use "--mac-source HX:HX:HX:HX:HX:HX" and I doubt in most cases that is what you really want. You could also shorten your for loop a bit..

Code:

BLOCKMAC=”/firewall/mac.blocked”
for i in $(grep -Ev "^#" $BLOCKMAC)
do
   blah blah blah
done

or even

Code:

for i in $(grep -Ev "^#" /firewall/mac.blocked)
do
   blah blah blah
done

(you also don't need to specify -E in this instance on any linux I've used, now if you're doing this on a sun or irix, maybe... you might also want to remove the pattern ^$ which is "blank line" which you could do by piping the output back to grep-- ala "grep -v ^# /firewall/mac.blocked | grep -v ^$" )

Ronin_tekorei · 04-28-2010, 03:44 PM

Wow! thanks a lot! You have clear my doubts.

And my question was if the "for" would load sequentially all the rules for each mac address or ip.

You have make it all clear for me.

Thanks.