From: Rob Sterenborg <rsterenborg@xs4all.nl>
To: netfilter@lists.netfilter.org
Subject: Re: Dynamic Deny rule
Date: Sun, 05 Jan 2003 00:10:20 +0100 [thread overview]
Message-ID: <3E1769DC.2060008@xs4all.nl> (raw)
In-Reply-To: 20030104214607.GD16581@miggy.org
Athan wrote:
> On Sat, Jan 04, 2003 at 10:53:16AM -0800, Bob Sully wrote:
>
>>Here's the excerpt from my script:
>>
>> # Refuse any connections to/from problem sites.
>
> [snip]
>
>> if [ -f /etc/firewall/firewall.banned ]; then
>> while read BANNED; do
>> iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BANNED -j DROP
>> iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BANNED -j DROP
>> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BANNED -j DROP
>> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BANNED -j DROP
>> done < /etc/firewall/firewall.banned
>> fi
This way you'd have to reload the complete INPUT and OUTPUT rules over
and over which is something I wouldn't do.
If you *are* going to use iptables for this, how about creating user
BAN_IN and BAN_OUT chains.
Then let cron start a script every 5 minutes that clears the BAN chains
and refills them with the values from the /etc/firewall/firewall.banned
file.
Something like this (I didn't test this..) :
-----------
#!/bin/bash
EXT_IF="eth0"
# If a chain doesn't exist, "iptables -L" will output an error.
# Let's not display these errors..
IN=`iptables -L BAN_IN 2>&1|grep Chain|awk '{print $2}'`
OUT=`iptables -L BAN_OUT 2>&1|grep Chain|awk '{print $2}'`
if [ -f /etc/firewall/firewall.banned ]; then
# Check to see if user chains exist ;
# If they do : clear them.
# If they don't : create and redirect the packets from the
# INPUT and OUTPUT chains to the BAN chains first.
if [ -n "$IN" ] ; then
iptables -F BAN_IN
else
iptables -N BAN_IN
iptables -I INPUT 1 -j BAN_IN
fi
if [ -n "$OUT" ] ; then
iptables -F BAN_OUT
else
iptables -N BAN_OUT
iptables -I OUTPUT 1 -j BAN_OUT
fi
# Fill BAN chains.
# Slightly modified from above...
while read BAN_IP; do
iptables -A BAN_IN -i $EXT_IF -s $BAN_IP -j DROP
iptables -A BAN_OUT -o $EXT_IF -d $BAN_IP -j DROP
done < /etc/firewall/firewall.banned
else
# The ban file doesn't exist ; we don't need the chains.
# Get rid of the BAN redirects in the INPUT and OUTPUT chains
# if we have them.
L_IN=`iptables -L INPUT --line-numbers|grep BAN_IN|awk '{print $1}'`
L_OUT=`iptables -L OUTPUT --line-numbers|grep BAN_OUT| \
awk '{print $1}'`
[ -n "$IN" ] && iptables -D INPUT $L_IN
[ -n "$OUT" ] && iptables -D OUTPUT $L_OUT
# Clear and get rid of the BAN chains if we have them.
if [ -n "$IN" ] ; then
iptables -F BAN_IN
iptables -X BAN_IN
fi
if [ -n "$OUT" ] ; then
iptables -F BAN_OUT
iptables -X BAN_OUT
fi
fi
prev parent reply other threads:[~2003-01-04 23:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-04 15:26 Dynamic Deny rule Mark Ryan
2003-01-04 18:29 ` Michael J. Tubby B.Sc. (Hons) G8TIC
2003-01-04 18:53 ` Bob Sully
2003-01-04 21:46 ` Athan
2003-01-04 22:15 ` Bob Sully
2003-01-04 23:10 ` Rob Sterenborg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E1769DC.2060008@xs4all.nl \
--to=rsterenborg@xs4all.nl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox