Iptables, ban IP, how?

cylarz · 04-22-2006, 01:04 AM

Capt Caveman:

I have no reason to think I've been hacked, but I would like to prevent that from happening.

I noticed that you said you could use the iptables command to completely ban a given IP from all ports. I'd like to ban some IP's from my system also. However, wouldn't I have to run the command you gave, for EVERY IP I want to ban, EVERY time I happen to reboot the system?

Basically what I'm asking is this - is there a way to use a GUI/command-line tool to input a list of IPs which the system would read on startup and then ban forever? Does IP tables at least have a .conf file or something that it reads?

cylarz · 04-22-2006, 01:05 AM

IP tables is already running on my system, in case you are wondering.

win32sux · 04-22-2006, 10:34 AM

yes, it's easy, just have a text file with the IPs and then have something like this in your iptables script:

Code:

BANNED_IPS="/path/to/banned_ips.txt"

for i in `cat $BANNED_IPS`; do

iptables -I INPUT -s $i -j DROP

done

the file banned_ips.txt would just contain an IP per line, kinda like:

Code:

10.25.63.63
10.25.63.65
10.84.75.25
10.25.123.165
10.84.123.166

win32sux · 04-22-2006, 01:09 PM

BTW, i suggest you insert this command after your ESTABLISHED,RELATED rule... this is because if your banned IP list gets to be very large, then it might cause the traversal of the other packets to lag... so let's say the ESTABLISHED,RELATED rule is your first rule in the INPUT chain, and your localhost rule is the second, and then you have some rules accepting (for example) HTTP (TCP/80) and HTTPS (TCP/443)... then it might go like this:

Code:

BANNED_IPS="/path/to/banned_ips.txt"

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

for i in `cat $BANNED_IPS`; do
iptables -A INPUT -s $i -j DROP
done

iptables -A INPUT -p TCP -i eth0 --dport 80 \
-m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 443 \
-m state --state NEW -j ACCEPT

as you can see, an append was used in the example above for the banned list rule... this is because the rule was included inside the script itself... but if we had run the core script first, as is usually the case, like:

Code:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 80 \
-m state --state NEW -j ACCEPT

iptables -A INPUT -p TCP -i eth0 --dport 443 \
-m state --state NEW -j ACCEPT

then we'd need to tell the banned IPs script (which we are running separately) the locaton to do the insertion, in this case we could use row #3:

Code:

BANNED_IPS="/path/to/banned_ips.txt"

for i in `cat $BANNED_IPS`; do
iptables -I INPUT 3 -s $i -j DROP
done

which would place all the DROPs right after the localhost rule... so this way the only packets that would need to go through the banned IP rules are those for NEW connections, and the packets for already established connections, or connections related to those which are established, will get accepted at the top of the chain without delay...

just my

...