Re: route add to block IP's

From: Steve Wampler (sbw@tapestry.tucson.az.us)
Date: 09/20/02


Date: Fri, 20 Sep 2002 10:17:04 -0700
From: Steve Wampler <sbw@tapestry.tucson.az.us>
To: focus-linux@securityfocus.com

On Tue, Sep 17, 2002 at 08:05:52PM -0400, Ryan Yagatich wrote:
...
>
> for iptables, you can do some logging and the such so you know when they
> are attempting to connect:
>
> iptables -N kiddies
> iptables -A kiddies -j LOG --log-prefix "Script Kiddie Log: " -m limit
> --limit 1/m
> iptables -A kiddies -j DROP
...

This is really nice. The only difficulty is that you lose the
iptables information whenever iptables drops its tables (such
as on a reboot). Here's a little script that lets you drop
IP addresses (and subnets) using the approach Ryan layed out
while also remembering the ip addresses so they can be
dropped whenever you restart the system. The comments in
the script show how this might be used if you (like me)
set up iptables using the script /etc/rc.d/rc.firewall.

--------------------------------------------------------
#!/bin/bash -f

#
# Drops one or more IP address ranges and remembers to drop them
# whenever rc.firewall is rerun...

IPTABLES=/sbin/iptables
DDIR=/var/lib/drop_ips
DFILE=${DDIR}/dropped_ip_addresses

# (1) /etc/rc.d/rc.firewall must have the following defined!
# (without being commented out, of course...)
#
########################################################
#iptables -N kiddies
#iptables -A kiddies -j LOG --log-prefix "Dropped IP Log: " -m limit \
# --limit 1/m
#iptables -A kiddies -j DROP
########################################################

# (2) Also, append the following (again, without being commented out)
# to /etc/rc.d/rc.firewall (note definition of DFILE must
# match definition given above!)
#
########################################################
#DFILE=/var/lib/drop_ips/dropped_ip_addresses
#if [ -f "${DFILE}" ]; then
# while read bad_ip; do
# echo "Dropping '${bad_ip}'"
# $IPTABLES -A INPUT -s ${bad_ip} -j kiddies
# $IPTABLES -A FORWARD -s ${bad_ip} -j kiddies
# done <${DFILE}
#fi
########################################################

### ####
### Real code begins here ####
### ####

# Make sure 'persistence' file exists
checkFile() {
    if [ ! -d ${DDIR} ]; then
        mkdir -p ${DDIR}
    fi
    if [ ! -f ${DFILE} ]; then
        touch ${DFILE}
    fi
done

# Drop the IP immediately
doDrop() {
    ip=$1
    if ! grep -q "$ip" ${DFILE}; then
        echo "Dropping connections from '$ip'"
        ${IPTABLES} -A INPUT -s $ip -j kiddies
        ${IPTABLES} -A FORWARD -s $ip -j kiddies
    else
        echo "Already dropped '$ip'"
    fi
    }

# Remember to drop it again on reboot
saveDrop() {
    ip=$1
    if ! grep -q "$ip" ${DFILE}; then
        echo "Remembering to drop '$ip' in the future"
        echo "$ip" >>${DFILE}
    fi
    }

checkFile
for i in $*; do
    doDrop $i
    saveDrop $i
done
--------------------------------------------------

-Steve

--
Steve Wampler     {sbw@tapestry.tucson.az.us}
The gods that smiled upon your birth are laughing now. -- fortune cookie



Relevant Pages

  • Re: Help with Iptables on with RH linux
    ... iptables -P OUTPUT DROP ... INPUT only when packets have a destination IP of your firewall. ... the FORWARD chain contains rules that affect packets passing through ... Yes I flushed the rules before calling the script... ...
    (RedHat)
  • Re: some reality about iptables, please
    ... >>the script which can only be run by a root user. ... but it could re-inforce the fact that maybe running your iptables ... "I'm a packet filtering interface not a firewall tool." ... Generally Debian systems run at init runlevel 3 (this is a change if ...
    (Debian-User)
  • Re: IPTABLES Beginner Example Needed!
    ... after i runned this script nothing works on my computer. ... > I think i just need the translation to iptables. ... $MODPROBE ip_conntrack ... # FORWARD chain rules ...
    (linux.redhat)
  • Re: Setting Up NTP for Time Sync
    ... > I've made no changes to the script file that I know of. ... called iptables after the command "iptables" that manipulates the ... The /etc/init.d/ntpd script is the one run when ntpd is started. ... [enter root password] ...
    (comp.os.linux.networking)
  • Re: IPTABLES: I will show you mine, now show me yours
    ... First here's a shorter Version of your script. ... # Reload kernelmodules, unless you have a non modularised kernel ... modprobe ip_conntrack ... $IPTABLES -F INPUT ...
    (comp.os.linux.security)