A question was asked over at www.lowendtalk.com on how to add ip addresses to iptables from a textfile.
AnthonySmith found a simple but still effective way to solve this.
The entry that were discussed was
|
1 2 |
iptables -A INPUT -s XXX.XXX.XXX.XXX -p udp -m udp --dport 28960:28965 -j DROP |
Let’s break it all down in parts (click on the tabs to see the explanation)
| Parameter | Views |
|---|---|
| -A | Append this to existing rules |
| -s XXX.XXX.XXX.XXX | -s Sets the source for a particular packet, in this case the ip of XXX.XXX.XXX.XXX |
| -p udp | -p = Sets the IP protocol for the rule, which can be either icmp, tcp, udp, or all, to match every possible protocol. If this option is omitted when creating a rule, the all option is the default. |
| -m udp | -m = match option Different network protocols provide specialized matching options which may be set in specific ways to match a particular packet using that protocol. Of course, the protocol must first be specified in the iptables command, such as using -p tcp , to make the options for that protocol available. |
| –dport 28960:28965 | –dport Specifies the destination port of the UDP packet, using the service name, port number, or range of port numbers. The –destination-port match option may be used instead of –dport. To specify a specific range of port numbers, separate the two numbers with a colon (:), such as our example. You may also use an exclamation point character (!) as a flag after the –dport option to tell iptables to match all packets which do not use that network service or port. |
| -j DROP | -j Tells iptables to jump to a particular target when a packet matches a particular rule. Valid targets to be used include the standard options, ACCEPT, DROP, QUEUE, and RETURN, as well as extended options that are available through modules loaded, such as LOG, MARK, and REJECT, among others.
If no target is specified, the packet moves past the rule with no action taken. However, the counter for this rule is still increased by 1, as the packet matched the specified rule. |
So, first of all, create a script that will be run by a cron job to add the rule from a text file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/sh # build list from user input /var/www/ban.ban-list.txt should be the one your game admis update # change the path and file name if required mv /var/www/ban/ban-list.txt /ban/banip.txt # loop through list and add to iptables # this will also add each ip you block to /ban/perm-ban.txt # you can run 'cp /ban/perm-ban.txt /ban/banip.txt' after a reboot and run this script # this will re ban any previously banned ip's if you are not saving your iptables config while read blist do /sbin/iptables -A INPUT -s $blist -p udp -m udp --dport 28960:28965 -j DROP && sleep 2 echo $blist has been added to your iptables echo $blist >> /ban/perm-ban.txt done < /ban/banip.txt # tidy up files # on the next few lines update the path after touch to be the same as the first line # example /var/www/ban/ban-list.txt rm /ban/banip.txt touch /var/www/ban/ban-list.txt |
To add IP to the text file read by the cron job you could use a simple shell script like this
|
1 2 3 4 5 6 7 8 9 10 |
#!/bin/sh # Script to add ip echo -n "Enter the IP to BAN and press [ENTER]:" read ip iptables -A INPUT -s $ip -p udp -m udp --dport 28960:28965 -j DROP #keep a record of the banned IP's if you want or comment out echo $ip >> /path/to/your/file.txt |