Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Software
User Name
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.


  Search this Thread
Old 04-02-2015, 06:44 PM   #1
Registered: Mar 2004
Location: .SE
Distribution: Arch
Posts: 410

Rep: Reputation: 22
Question How to - List of IP/MAC addresses (etc) to block/allow in iptables

I've been google:ing like a mad man and the latest I found was ipset, but that was for IP addresses only it seems and if I was correct, TCP only too.

I need an application/addon to easily give a list of IP/MAC addresses or what ever to do
'whatever' in the iptables script. (whatever = what I tell the list to do or NOT to do, NOT the real commands but eg. allow/deny what's in this 'list')
Doing a loop seems old school so there gotta be a better way for it, although I can't find it.

I use iptables in the 'old' fashion way, as a script, adding/removing rules etc,
but I'm lately being 'forced' to use a GUI for it all, so it'll be good if it'll
work in that way too, but if it can't no worries, I'll take the heat

OK, I need to add more MAC addresses for SSH, static IP addresses for access to servers
and other stuff like this no matter if its TCP or UDP.

Instead of just repeat the same row again and again with the small change of IP or MAC,
there gotta be a better way, I mean it is the year 2k15!!
Point to a file that holds the list of 'items' doesn't matter, as long as it's in ONE place.

//TIA B52

PS: How do you spell googling? is it googling, or not to 'trash' the registered trademark
'google' as google:ing or google'ing?
Had to ask
*My native language ain't English so........*
Old 04-02-2015, 07:31 PM   #2
Senior Member
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
I think you have to go with old school stuff that is using loop. You might be interested in looking at this thread where we had similar discussion about pulling MAC and IP addresses. You can either have separate array for MAC and IP or have separate txt file and then run it using for loop.

For googling part have a look at this
1 members found this post helpful.
Old 04-02-2015, 07:59 PM   #3
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
Old school is still in use because it's so effective.

However if you do a script using iptables it'll have to reload the ruleset hundreds of times.
If you use iptables-restore it loads in one ruleset load, making it a lot faster.
Get the iptable ruleset as you want, then run this:

iptables-save > /etc/iptables_rules
Then run this at every boot:

iptables-restore < /etc/iptables_rules

Last edited by Sefyir; 04-02-2015 at 08:02 PM.
1 members found this post helpful.
Old 04-03-2015, 07:34 PM   #4
Registered: Mar 2004
Location: .SE
Distribution: Arch
Posts: 410

Original Poster
Rep: Reputation: 22

@Sefyir, I don't really get that thing about ruleset. I'm running this iptables-script at startup which is just a normal executable file with all
iptables rules, eg. like this:

# Chain: SSH
iptables -N SSH_1
iptables -t filter -A INPUT -i $LAN -p tcp --dport ssh -j SSH_1 # XXXX
iptables -t filter -A INPUT -m mac --mac-source $LANMAC -i $WAN -p tcp --dport ssh -j SSH_1 # XXXX LAN-NIC
iptables -A SSH_1 -j ULOG --ulog-nlgroup 1 --ulog-prefix "1 SSH_1 - ACCEPT " --ulog-qthreshold 1
iptables -t filter -A SSH_1 -j ACCEPT

so how will a ruleset work on this?
etc etc

Last edited by Basher52; 04-04-2015 at 12:12 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables - how to block some IP-addresses garett Linux - Networking 5 12-09-2014 09:21 AM
Can I use iptables to limit bandwidth to certain IP addresses and MAC addresses baronobeefdip Linux - Networking 2 01-07-2014 07:36 PM
How to block the ip addresses using iptables onlymahendra7 Linux - Networking 5 05-27-2012 10:57 AM
iptables rules with MAC addresses ProtoformX Linux - Networking 5 04-28-2005 07:54 AM
iptables & mac addresses freelinuxcpp Linux - Security 2 12-31-2003 05:22 AM > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:03 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration