From: Chris Brenton <cbrenton@chrisbrenton.org>
To: "Masiero Giorgio, PD" <gmasiero@cerved.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Group on Iptables
Date: Thu, 28 Aug 2003 05:59:50 -0400 [thread overview]
Message-ID: <3F4DD296.7040403@chrisbrenton.org> (raw)
In-Reply-To: E9C5F057A783F94E9868010ACFDB3AA454A2E6@srvpadovaad.cerved.com
Masiero Giorgio, PD wrote:
>
> Hy my name is Giorgio,
Greetings Giorgio,
> Is it possible to use objects like Checkpoint Groups (that is a set of host and/or networks) into an Iptables rule.
> It seems to me that iptables accept souce/destination that are only one host/network.
First off, you really want to write your rules based on IP address
rather than host or domain names, it makes processing the rules go much
quicker and speeds up the firewall.
Second, try doing something like this in your initialization script:
# Known Spammers
while read SPAMMER ; do
iptables -A FORWARD -i eth0 -p tcp -s $SPAMMER -d 0/0 --dport 25 -j LOG
--log-prefix " SPAMMER "
iptables -A FORWARD -i eth0 -p tcp -s $SPAMMER -d 0/0 --dport 25 -j
REJECT --reject-with icmp-host-unreachable
done < /etc/spammers-list.txt
# Hostile addresses
while read BLACKHAT ; do
iptables -A FORWARD -i eth0 -s $BLACKHAT -d 0/0 -j LOG --log-prefix "
BLACKHAT "
iptables -A FORWARD -i eth0 -s $BLACKHAT -d 0/0 --dport 25 -j REJECT
--reject-with icmp-host-unreachable
done < /etc/blackhat-list.txt
The *.txt file indicated on the "done" line is simply a plain text file
that lists each IP address or subnet to process, one per line. Something
like this:
211.99.204.0/23
211.99.206.0/24
210.77.157.40/32
210.77.157.0/24
So now your "groups" are the lists of addresses in each file. If you
need to make a change just edit the group and reload your rules. Note
that doing a:
iptables -L -n
will allow you to verify that all the addresses were loaded.
HTH,
C
next prev parent reply other threads:[~2003-08-28 9:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-27 14:44 Group on Iptables Masiero Giorgio, PD
2003-08-28 8:37 ` Gavin Hamill
2003-08-28 9:59 ` Chris Brenton [this message]
2003-08-28 17:22 ` Jim Carter
2003-08-31 10:50 ` Ralf Spenneberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F4DD296.7040403@chrisbrenton.org \
--to=cbrenton@chrisbrenton.org \
--cc=gmasiero@cerved.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox