LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   Multi ip adress to reject with iptables (https://www.linuxquestions.org/questions/linux-general-1/multi-ip-adress-to-reject-with-iptables-98579/)

exalik 09-30-2003 08:00 AM
Multi ip adress to reject with iptables
 
Hello,

I have a plain text file which contain one ip adress or domain name per line.
I would like to make a simple script that use this file to reject all the ip adress and domain names that are in.

Can somebody help me to do it because i don't know to make script like this ?

I just want to limit unwanted pop-up without using any proxy that could do it i know.


Thank you.

Exalik

/bin/bash 10-01-2003 07:04 PM
I got this from the firewall at http://projectfiles.com/firewall/. I modified the script slightly so it reads the $BLACKLIST variable from a file I have in /etc/sysconfig/blacklist. The format of the blacklist file is like this:
Format: [<host or network address>[/<netmask>]][:[<port or port-range>[/<protocol>]]

You can probably stick this in any rc.firewall script and get it to work with very little tweeking. Anyway here is the code which does the work:

Code:
blacklistfile="/etc/sysconfig/blacklist"
BLACKLIST=`cat $blacklistfile`

# Drop traffic to and from blacklisted networks.

for NETWORK in $BLACKLIST; do
  NET=`echo "$NETWORK:" | cut -d: -f1`
  if ! check_network; then
    PORTS="$NET"
    NET="0.0.0.0/0"
  else
    PORTS=`echo "$NETWORK:" | cut -d: -f2`
  fi
  if [ -n "$PORTS" ]; then
    PROTOCOL=`echo "$PORTS/" | cut -d/ -f2`
    PORT="--dport `echo "$PORTS/" | cut -d/ -f1 | cut -d- -f1,2 --output-delimiter=":"`"
    if [ "$PROTOCOL" == "tcp" ] || [ -z "$PROTOCOL" ]; then
      if [ "$IS_ROUTER" == "yes" ]; then
        iptables -t filter -I FORWARD -s $NET -p tcp $PORT -j DROP
        iptables -t filter -I FORWARD -d $NET -p tcp $PORT -j DROP
      fi
      iptables -t filter -I INPUT -s $NET -p tcp $PORT -j DROP
      iptables -t filter -I INPUT -d $NET -p tcp $PORT -j DROP
      iptables -t filter -I OUTPUT -s $NET -p tcp $PORT -j DROP
      iptables -t filter -I OUTPUT -d $NET -p tcp $PORT -j DROP
    fi
    if [ "$PROTOCOL" == "udp" ] || [ -z "$PROTOCOL" ]; then
      if [ "$IS_ROUTER" == "yes" ]; then
        iptables -t filter -I FORWARD -s $NET -p udp $PORT -j DROP
        iptables -t filter -I FORWARD -d $NET -p udp $PORT -j DROP
      fi
      iptables -t filter -I INPUT -s $NET -p udp $PORT -j DROP
      iptables -t filter -I INPUT -d $NET -p udp $PORT -j DROP
      iptables -t filter -I OUTPUT -s $NET -p udp $PORT -j DROP
      iptables -t filter -I OUTPUT -d $NET -p udp $PORT -j DROP
    fi
  else
    if [ "$IS_ROUTER" == "yes" ]; then
      iptables -t filter -I FORWARD -s $NET -j DROP
      iptables -t filter -I FORWARD -d $NET -j DROP
    fi
    iptables -t filter -I INPUT -s $NET -j DROP
    iptables -t filter -I INPUT -d $NET -j DROP
    iptables -t filter -I OUTPUT -s $NET -j DROP
    iptables -t filter -I OUTPUT -d $NET -j DROP
  fi
done


All times are GMT -5. The time now is 09:39 PM.