[SOLVED] How to - List of IP/MAC addresses (etc) to block/allow in iptables

Basher52 · 04-02-2015, 06:44 PM

I've been google:ing like a mad man and the latest I found was ipset, but that was for IP addresses only it seems and if I was correct, TCP only too.

I need an application/addon to easily give a list of IP/MAC addresses or what ever to do
'whatever' in the iptables script. (whatever = what I tell the list to do or NOT to do, NOT the real commands but eg. allow/deny what's in this 'list')
Doing a loop seems old school so there gotta be a better way for it, although I can't find it.

I use iptables in the 'old' fashion way, as a script, adding/removing rules etc,
but I'm lately being 'forced' to use a GUI for it all, so it'll be good if it'll
work in that way too, but if it can't no worries, I'll take the heat

OK, I need to add more MAC addresses for SSH, static IP addresses for access to servers
and other stuff like this no matter if its TCP or UDP.

Instead of just repeat the same row again and again with the small change of IP or MAC,
there gotta be a better way, I mean it is the year 2k15!!
Point to a file that holds the list of 'items' doesn't matter, as long as it's in ONE place.

//TIA B52

PS: How do you spell googling? is it googling, or not to 'trash' the registered trademark
'google' as google:ing or google'ing?
Had to ask

*My native language ain't English so........*

T3RM1NVT0R · 04-02-2015, 07:31 PM

I think you have to go with old school stuff that is using loop. You might be interested in looking at this thread where we had similar discussion about pulling MAC and IP addresses. You can either have separate array for MAC and IP or have separate txt file and then run it using for loop.

For googling part have a look at this

Sefyir · 04-02-2015, 07:59 PM

Old school is still in use because it's so effective.

However if you do a script using iptables it'll have to reload the ruleset hundreds of times.
If you use iptables-restore it loads in one ruleset load, making it a lot faster.
Get the iptable ruleset as you want, then run this:

Code:

iptables-save > /etc/iptables_rules

Then run this at every boot:

Code:

iptables-restore < /etc/iptables_rules

Basher52 · 04-03-2015, 07:34 PM

OK @T3RM1NVT0R

@Sefyir, I don't really get that thing about ruleset. I'm running this iptables-script at startup which is just a normal executable file with all
iptables rules, eg. like this:

Quote:

...
#------------------------------------------------------------------------------------------------------
# Chain: SSH
iptables -N SSH_1
iptables -t filter -A INPUT -i $LAN -p tcp --dport ssh -j SSH_1 # XXXX
iptables -t filter -A INPUT -m mac --mac-source $LANMAC -i $WAN -p tcp --dport ssh -j SSH_1 # XXXX LAN-NIC
iptables -A SSH_1 -j ULOG --ulog-nlgroup 1 --ulog-prefix "1 SSH_1 - ACCEPT " --ulog-qthreshold 1
iptables -t filter -A SSH_1 -j ACCEPT
...

so how will a ruleset work on this?
etc etc