Multi ip adress to reject with iptables

exalik · 09-30-2003, 08:00 AM

Hello,

I have a plain text file which contain one ip adress or domain name per line.
I would like to make a simple script that use this file to reject all the ip adress and domain names that are in.

Can somebody help me to do it because i don't know to make script like this ?

I just want to limit unwanted pop-up without using any proxy that could do it i know.

Thank you.

Exalik

/bin/bash · 10-01-2003, 07:04 PM

I got this from the firewall at http://projectfiles.com/firewall/. I modified the script slightly so it reads the $BLACKLIST variable from a file I have in /etc/sysconfig/blacklist. The format of the blacklist file is like this:
Format: [<host or network address>[/<netmask>]][:[<port or port-range>[/<protocol>]]

You can probably stick this in any rc.firewall script and get it to work with very little tweeking. Anyway here is the code which does the work:

Code:

blacklistfile="/etc/sysconfig/blacklist"
BLACKLIST=`cat $blacklistfile`

# Drop traffic to and from blacklisted networks.

for NETWORK in $BLACKLIST; do
  NET=`echo "$NETWORK:" | cut -d: -f1`
  if ! check_network; then
    PORTS="$NET"
    NET="0.0.0.0/0"
  else
    PORTS=`echo "$NETWORK:" | cut -d: -f2`
  fi
  if [ -n "$PORTS" ]; then
    PROTOCOL=`echo "$PORTS/" | cut -d/ -f2`
    PORT="--dport `echo "$PORTS/" | cut -d/ -f1 | cut -d- -f1,2 --output-delimiter=":"`"
    if [ "$PROTOCOL" == "tcp" ] || [ -z "$PROTOCOL" ]; then
      if [ "$IS_ROUTER" == "yes" ]; then
	iptables -t filter -I FORWARD -s $NET -p tcp $PORT -j DROP
	iptables -t filter -I FORWARD -d $NET -p tcp $PORT -j DROP
      fi
      iptables -t filter -I INPUT -s $NET -p tcp $PORT -j DROP
      iptables -t filter -I INPUT -d $NET -p tcp $PORT -j DROP
      iptables -t filter -I OUTPUT -s $NET -p tcp $PORT -j DROP
      iptables -t filter -I OUTPUT -d $NET -p tcp $PORT -j DROP
    fi
    if [ "$PROTOCOL" == "udp" ] || [ -z "$PROTOCOL" ]; then
      if [ "$IS_ROUTER" == "yes" ]; then
	iptables -t filter -I FORWARD -s $NET -p udp $PORT -j DROP
	iptables -t filter -I FORWARD -d $NET -p udp $PORT -j DROP
      fi
      iptables -t filter -I INPUT -s $NET -p udp $PORT -j DROP
      iptables -t filter -I INPUT -d $NET -p udp $PORT -j DROP
      iptables -t filter -I OUTPUT -s $NET -p udp $PORT -j DROP
      iptables -t filter -I OUTPUT -d $NET -p udp $PORT -j DROP
    fi
  else
    if [ "$IS_ROUTER" == "yes" ]; then
      iptables -t filter -I FORWARD -s $NET -j DROP
      iptables -t filter -I FORWARD -d $NET -j DROP
    fi
    iptables -t filter -I INPUT -s $NET -j DROP
    iptables -t filter -I INPUT -d $NET -j DROP
    iptables -t filter -I OUTPUT -s $NET -j DROP
    iptables -t filter -I OUTPUT -d $NET -j DROP
  fi
done