Easy add IP to be blocked by iptables
Written by @mikho, 12 Apr 2021
Article was migrated from WordPress to Vanilla in March 2022
Following up on the post on how to loop thru a file and perform an action per line, which you can find here
https://lowendspirit.com/how-to-loop-through-a-file-and-perform-an-action-per-line/
There is a case when this is useful, adding IPs from a text file into iptables and block their access to your VPS or dedicated server.
if you break down this command with its parameters (iptables being the command)
iptables -A INPUT -s XXX.XXX.XXX.XXX -p udp -m udp --dport 28960:28965 -j DROP
Parameter: Explanation
-A: Append this to existing rules
INPUT: The chain where the rule should be added into
-s XXX.XXX.XXX.XXX: -s Sets the source for a particular packet, in this case the ip of XXX.XXX.XXX.XXX
-p udp: -p = Sets the IP protocol for the rule, which can be either icmp, tcp, udp, or all, to match every possible protocol. If this option is omitted when creating a rule, the all option is the default.
-m udp: -m = match option Different network protocols provide specialized matching options which may be set in specific ways to match a particular packet using that protocol. Of course, the protocol must first be specified in the iptables command, such as using -p tcp , to make the options for that protocol available.
–dport 28960:28965: –dport Specifies the destination port of the UDP packet, using the service name, port number, or range of port numbers. The –destination-port match option may be used instead of –dport. To specify a specific range of port numbers, separate the two numbers with a colon (:), such as our example. You may also use an exclamation point character (!) as a flag after the –dport option to tell iptables to match all packets which do not use that network service or port.
-j DROP: -j Tells iptables to jump to a particular target when a packet matches a particular rule. Valid targets to be used include the standard options, ACCEPT, DROP, QUEUE, and RETURN, as well as extended options that are available through modules loaded, such as LOG, MARK, and REJECT, among others. If no target is specified, the packet moves past the rule with no action taken. However, the counter for this rule is still increased by 1, as the packet matched the specified rule. in our example we use DROP — The system that sent the packet is not notified of the failure. The packet is simply removed from the rule checking the chain and discarded.
This command will DROP connections from IP XXX.XXX.XXX.XXX on udp port 28960:28965
If you want to block all connections from a specific IP, no matter what port it tries to connect to, omit the -p -m and --dport parameters. This will look like this
iptables -A INPUT -s XXX.XXX.XXX.XXX -j DROP
You might ask when are we going to loop thru the file?
#!/bin/sh # This will loop thru the file /ban/banip.txt and add every IP in that # file with a DROP to the INPUT chain in iptables. # # change the path and file name if required # you can re-run this file if you are not saving your iptables config # between reboots. while read blist do /sbin/iptables -A INPUT -s $blist -j DROP && sleep 2 echo $blist has been added to your iptables done < /ban/banip.txt
To add a single IP to the block list in iptables and add the IP to your text file, you could use a simple shell script like this
#!/bin/sh # Script to add ip echo -n "Enter the IP to BAN and press [ENTER]:" read ip /sbin/iptables -A INPUT -s $ip -j DROP #keep a record of the banned IP's if you want or comment out echo $ip >> /ban/banip.txt # Make sure you use the same path and filename as in the loop script
This is a quick and dirty way to keep a list of IPs you would like to block access from.
I'm sure that the readers have more sophisticated and innovative ways to add their own list of IPs to iptables.
Comment with how you do it and why you do it the way you do.
Comments
(comments from wordpress post prior to migration)
ehab
Apr 14, 2021 / 22:36
nice breakdown and just wanted to add you can use ipset to manage ip sets. It has the advantage of adding a live ip without reloading the whole file.
maybe this can be a new upcoming article 🙂
Humble janitor of LES
Proud papa of YABS