[SOLVED] Can the ip address written into a file called by iptable?

luofeiyu · 10-30-2017, 11:39 PM

It is smiple to block several ip with iptables.

To block 191.96.249.63 191.96.249.70 41.191.224.5 .

iptables -A INPUT -s 191.96.249.63 -j DROP
iptables -A INPUT -s 191.96.249.70 -j DROP
iptables -A INPUT -s 41.191.224.5 -j DROP
service iptables save

If there are 100 ip to be blocked, Which the simplest way to do that with iptables?

Can i write all the ip into a file ,one ip per line, called by iptables?

astrogeek · 10-31-2017, 12:27 AM

The easiest and most efficient way I know is to use ipset (see man ipset).

Create a set for the type and options you want (default mask, counters, timeout, etc.), for example..

Code:

ipset create banned hash:ip netmask 24 counters timeout 3600

Then add the IP addresses (you can add more at any time)...

Code:

ipset add banned 41.191.224.5
...

Then in your iptables rules, add the rule to DROP all IPs found in the set...

Code:

iptables -A INPUT -m set --match-set banned src -j DROP

The size in memory for most set types is very efficient, as little as one bit per IP in a range, hashed lookup is fast.

You can easily save the list to a file and initialize the set at boot.