Hi there all,
I have just setup a simple iptables firewall on one of my linux boxes. I have written a script that (hopefully does the following)
(I am quite new to bash scripting so please excue my attempt at this script)
Spec
1: Scan through my /etc/httpd/logs/access_log (apache log)
2: Filter out a particular pattern
3: output the filtered ip addresses to a text file
4: sort the text file removing duplicate entries
5: Flush iptables
6: Add the sorted / filtered ip addresses to ip tables
7: Timestamp the last time this script was run
As I rotate my access_log every 24 hours offending IP's can probably get in after 24 hours which is fine.
I have written the following script however it does not seem to be working properly (I got some of the code after doing some google searches) is there anyone here who could perhaps guide me in the right direction
Code:
#!/bin/bash
#Setup some vars
MAILTO=myemail@address.com
BLOCK_LIST=`cat /etc/ipblock-uniq`
CURRENT_RULES=`iptables -L`
IPTABLES=`whereis iptables | awk '{print $2}'`
# 1st Flush Iptables
$IPTABLES --flush
# Search for the offending ip's in Access_log
cat /etc/httpd/logs/access_log | grep '"-" "-"' | awk '{print $1}' > /etc/ipblock
# Remove duplicates
sort /etc/ipblock | uniq > /etc/ipblock-uniq
# This code is not working too well at the moment
for ENTRIES in $BLOCK_LIST; do
SUCCESS=0
grep "$ENTRIES" "$CURRENT_RULES"
if [ ! "$?" = "$SUCCESS" ]; then # if the rule is not found, add it
$IPTABLES -I INPUT -i eth0 -s $ENTRIES -j DROP
$IPTABLES -I OUTPUT -o eth0 -d $ENTRIES -j DROP
fi
done
# Remove certain IP's from accidental lockout
$IPTABLES -D OUTPUT -i eth0 -s 11.111.111.111 -j DROP
$IPTABLES -D OUTPUT -o eth0 -d 11.111.111.111 -j DROP
# View iptables
$IPTABLES -L -n -v
#Timestamp last action
date >/etc/potential-lastrun.log