Results 1 to 10 of 10

Thread: Iptables and blocking ips

  1. #1
    Join Date
    Apr 2010
    Beans
    39
    Distro
    Ubuntu 11.04 Natty Narwhal

    Iptables and blocking ips

    Hi,

    Am okay with iptables but wondered if there was a way to dynamically add and remove ip addresses from a ban list. Ideally I would like to just be able to edit a DB of some description or a text file.

    Thanks,

    Tim

  2. #2
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Iptables and blocking ips

    The "recent" module nfo in 'man iptables' contains examples for addition and removal of IP addresses from /proc/net/ipt_recent/ lists. Doesn't get easier than that. Only caveat is it supports only IP addresses, not ranges.

  3. #3
    Join Date
    May 2010
    Beans
    462
    Distro
    Ubuntu Development Release

    Re: Iptables and blocking ips

    Do you ever think of ban it through host file and it make things much easy for you.

    Check this out.

  4. #4
    Join Date
    May 2008
    Location
    Cluj, Romania
    Beans
    1,292

    Re: Iptables and blocking ips

    This is just the first google hit if you search "iptables block ip"...:

    http://nixcraft.com/getting-started-...p-address.html

  5. #5
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,583
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Iptables and blocking ips

    I create my ruleset from a script where I can use for loops to iterate over a list of banned IPs like this:

    Code:
    BANNED=$(cat /usr/local/etc/banned_ip_list)
    
    for addr in $BANNED
    do
         /sbin/iptables -I INPUT -s $addr -j REJECT
    done
    The list is a plain text file with one IP address per line.

    If this were part of a longer script, I'd probably use -A instead of -I. However -I works either way since it puts the blocking rules above all the other rules in the set.

    Removing banned IPs is a bit trickier. Rather than attempt to delete the specific rule, I'd just remove the address from the list then rerun the script.
    Last edited by SeijiSensei; April 22nd, 2012 at 05:51 AM.

  6. #6
    Join Date
    May 2010
    Beans
    462
    Distro
    Ubuntu Development Release

    Re: Iptables and blocking ips

    Quote Originally Posted by SeijiSensei View Post
    I create my ruleset from a script where I can use for loops to iterate over a list of banned IPs like this:

    Code:
    BANNED=$(cat /usr/local/etc/banned_ip_list)
    
    for addr in $BANNED
    do
         /sbin/iptables -I INPUT -s $addr -j REJECT
    done
    The list is a plain text file with one IP address per line.

    If this were part of a longer script, I'd probably use -A instead of -I. However -I works either way since it puts the blocking rules above all the other rules in the set.

    Removing banned IPs is a bit trickier. Rather than attempt to delete the specific rule, I'd just remove the address from the list then rerun the script.
    Do you have an auto update script using the ban list using the link from blocklist?
    Try to use Moblock but seem not working anymore.

  7. #7
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Iptables and blocking ips

    Quote Originally Posted by wacky_sung View Post
    Do you ever think of ban it through host file and it make things much easy for you.
    That IMHO depends on the reason for blocking. The "recent" module 0) makes removing IP addresses as easy as 'echo -1.2.3.4 > /proc/net/xt_recent/NAME', 1) it doesn't depend on an application having its own implementation of or having been compiled with libwrap support, 2) doesn't expose the application to packets and 3) its blacklist resides in memory only and does not require an application to read any FS file like /etc/hosts.{deny,allow}.
    Nothing easier, efficient and more secure than that.


    Quote Originally Posted by SeijiSensei View Post
    Code:
         /sbin/iptables -I INPUT -s $addr -j REJECT
    That'll work OK with a couple of addresses but rules are traversed linearly. If one loads a gazillion rules in the filter table INPUT chain it will be way slower compared to using the "recent" module or ipsets.

  8. #8
    Join Date
    May 2010
    Beans
    462
    Distro
    Ubuntu Development Release

    Re: Iptables and blocking ips

    Quote Originally Posted by unspawn View Post
    That IMHO depends on the reason for blocking. The "recent" module 0) makes removing IP addresses as easy as 'echo -1.2.3.4 > /proc/net/xt_recent/NAME', 1) it doesn't depend on an application having its own implementation of or having been compiled with libwrap support, 2) doesn't expose the application to packets and 3) its blacklist resides in memory only and does not require an application to read any FS file like /etc/hosts.{deny,allow}.
    Nothing easier, efficient and more secure than that.



    That'll work OK with a couple of addresses but rules are traversed linearly. If one loads a gazillion rules in the filter table INPUT chain it will be way slower compared to using the "recent" module or ipsets.
    Currently i have not tried out IPSet because it work on Kernel 2.4.x and 2.6.x. Thus using the latest Ubuntu 12.04 with Kernel 3.2.x and i do not wish to test it if it is workable.

  9. #9
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Iptables and blocking ips


  10. #10
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,583
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Iptables and blocking ips

    Quote Originally Posted by unspawn View Post
    That'll work OK with a couple of addresses but rules are traversed linearly. If one loads a gazillion rules in the filter table INPUT chain it will be way slower compared to using the "recent" module or ipsets.
    Modern computers can traverse thousands of iptables rules in milliseconds. My block lists contain a couple hundred entries and, even on older hardware, I saw no performance degradation by doing so.

    How many addresses are we really talking about here? I don't block thousands upon thousands of addresses by default. Why would I? On my mail/web servers I block addresses from repeated annoying spammers and IPs that repeatedly attempt to identify local accounts via POP3 requests or to connect to SSH. I don't see much point in blocking thousands of addresses that will never attempt a connection.
    Last edited by SeijiSensei; April 22nd, 2012 at 03:13 PM.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •