I got this from the firewall at
http://projectfiles.com/firewall/. I modified the script slightly so it reads the $BLACKLIST variable from a file I have in /etc/sysconfig/blacklist. The format of the blacklist file is like this:
Format: [<host or network address>[/<netmask>]][:[<port or port-range>[/<protocol>]]
You can probably stick this in any rc.firewall script and get it to work with very little tweeking. Anyway here is the code which does the work:
Code:
blacklistfile="/etc/sysconfig/blacklist"
BLACKLIST=`cat $blacklistfile`
# Drop traffic to and from blacklisted networks.
for NETWORK in $BLACKLIST; do
NET=`echo "$NETWORK:" | cut -d: -f1`
if ! check_network; then
PORTS="$NET"
NET="0.0.0.0/0"
else
PORTS=`echo "$NETWORK:" | cut -d: -f2`
fi
if [ -n "$PORTS" ]; then
PROTOCOL=`echo "$PORTS/" | cut -d/ -f2`
PORT="--dport `echo "$PORTS/" | cut -d/ -f1 | cut -d- -f1,2 --output-delimiter=":"`"
if [ "$PROTOCOL" == "tcp" ] || [ -z "$PROTOCOL" ]; then
if [ "$IS_ROUTER" == "yes" ]; then
iptables -t filter -I FORWARD -s $NET -p tcp $PORT -j DROP
iptables -t filter -I FORWARD -d $NET -p tcp $PORT -j DROP
fi
iptables -t filter -I INPUT -s $NET -p tcp $PORT -j DROP
iptables -t filter -I INPUT -d $NET -p tcp $PORT -j DROP
iptables -t filter -I OUTPUT -s $NET -p tcp $PORT -j DROP
iptables -t filter -I OUTPUT -d $NET -p tcp $PORT -j DROP
fi
if [ "$PROTOCOL" == "udp" ] || [ -z "$PROTOCOL" ]; then
if [ "$IS_ROUTER" == "yes" ]; then
iptables -t filter -I FORWARD -s $NET -p udp $PORT -j DROP
iptables -t filter -I FORWARD -d $NET -p udp $PORT -j DROP
fi
iptables -t filter -I INPUT -s $NET -p udp $PORT -j DROP
iptables -t filter -I INPUT -d $NET -p udp $PORT -j DROP
iptables -t filter -I OUTPUT -s $NET -p udp $PORT -j DROP
iptables -t filter -I OUTPUT -d $NET -p udp $PORT -j DROP
fi
else
if [ "$IS_ROUTER" == "yes" ]; then
iptables -t filter -I FORWARD -s $NET -j DROP
iptables -t filter -I FORWARD -d $NET -j DROP
fi
iptables -t filter -I INPUT -s $NET -j DROP
iptables -t filter -I INPUT -d $NET -j DROP
iptables -t filter -I OUTPUT -s $NET -j DROP
iptables -t filter -I OUTPUT -d $NET -j DROP
fi
done