kapot
asked on
IPTables, blocking multiple ip addresses
I am new to iptables.
What I need to do is, to block any access from some ip addresses.
I know that I can use: iptables -A INPUT -s <ip> -j drop
But then, I must write one by one for all ip addresses.
Is it possible to use something like a script ? so I just put all the ip addresses that I want to block into a file, for example blocked.txt
But I dont know how to start with iptables scripting.
Thanks for any help.
What I need to do is, to block any access from some ip addresses.
I know that I can use: iptables -A INPUT -s <ip> -j drop
But then, I must write one by one for all ip addresses.
Is it possible to use something like a script ? so I just put all the ip addresses that I want to block into a file, for example blocked.txt
But I dont know how to start with iptables scripting.
Thanks for any help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry. I'd copy_paste to much. Remove 3 lines
iptables -A INPUT -i eth1 -p udp --dport bootps --sport bootpc -j DROP
iptables -A INPUT -i eth0 -p udp --dport bootps --sport bootpc -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport bootps --sport bootpc -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport bootps --sport bootpc -j DROP
iptables -A INPUT -i eth0 -p udp --dport bootps --sport bootpc -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport bootps --sport bootpc -j ACCEPT
Any more information are welcome.
ahoffmann and Klintan are right. However if you have a lots of different addresses, you will have as many rules as addresses in your table. Thus, your firewall will slow down since all packets will try to match all rules.
The best should be a range as specified by ahoffmann, butr this depend of your netword design and what you want to block.
So give us more information please.
Reagrd's
ahoffmann and Klintan are right. However if you have a lots of different addresses, you will have as many rules as addresses in your table. Thus, your firewall will slow down since all packets will try to match all rules.
The best should be a range as specified by ahoffmann, butr this depend of your netword design and what you want to block.
So give us more information please.
Reagrd's
> .. and then only accept the god ones.
how many millions are good ones? and which are the good ones?
or did you really mean "god ones"? Then there is only one, probably ...
Can you please be more specific :-]]
how many millions are good ones? and which are the good ones?
or did you really mean "god ones"? Then there is only one, probably ...
Can you please be more specific :-]]
ASKER
Yes, it's quite difficult if we drop everything and only accept a good one(s).
Because there are a lot of good ones.
The main reason I asking this was, I found a lot of strange IPs, scanning my web server. They tried to access unexisted cgi.
It's like a bot/scanner. I want to block this kind of access.
I like Klintan solution :
#!/bin/bash
if [ -f badips.txt ]
then
for BAD_IP in `cat badips.txt`
do
iptables -A INPUT -s $BAD_IP -j DROP
done
else
echo "Can't read badips.txt"
fi
Because I can put all those scanners/bots IPs in that file, and RERUN the script.
Because there are a lot of good ones.
The main reason I asking this was, I found a lot of strange IPs, scanning my web server. They tried to access unexisted cgi.
It's like a bot/scanner. I want to block this kind of access.
I like Klintan solution :
#!/bin/bash
if [ -f badips.txt ]
then
for BAD_IP in `cat badips.txt`
do
iptables -A INPUT -s $BAD_IP -j DROP
done
else
echo "Can't read badips.txt"
fi
Because I can put all those scanners/bots IPs in that file, and RERUN the script.
But what i don't understand is why you want to block IP, instead of deny all exept services you're runing.
Then, if you're afraid about some scanning, you can use an IDS that can detect many scan type and block such IP's.
This will we done automatically and what you will have to do is just checking thoses entries are corrects.
Regard's
Then, if you're afraid about some scanning, you can use an IDS that can detect many scan type and block such IP's.
This will we done automatically and what you will have to do is just checking thoses entries are corrects.
Regard's
ASKER
vbadier,
I want to prevent SOME IPs accessing a SPECIFIC service :)
If I deny all, then how can I allow the rest ?
It's like a ban list I think.
Anyway, thanks for the help and discussion, it's really help !
I want to prevent SOME IPs accessing a SPECIFIC service :)
If I deny all, then how can I allow the rest ?
It's like a ban list I think.
Anyway, thanks for the help and discussion, it's really help !
Take my fw example, then add as you need.
To accept incomming to webserver (http, httpS)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
To accept incomming ftp
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
and so on...
Read this file if you need info on services
/etc/services
This link will help getting started with iptables
http://iptables-tutorial.frozentux.net/
To accept incomming to webserver (http, httpS)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
To accept incomming ftp
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
and so on...
Read this file if you need info on services
/etc/services
This link will help getting started with iptables
http://iptables-tutorial.frozentux.net/
iptables -A INPUT -s x.y.z.0/24 -j DROP
# using bash:
for i in `seq 5 1 8`; do iptables -A INPUT -s x.y.z.$i -j DROP; done