[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Dumb fire walling question

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] Dumb fire walling question
From: "Chris J" <cej [at] xxxxxxxxxxxxxxxx>
Date: Thu, 02 Oct 2003 18:24:50 +0100
Delivered-to: shef-lug [at] list.sheflug.org.uk
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

And Lo! The Great Prophet Sammy Redshaw uttered these words of wisdom:
> I have being given a list of ip addresses in a text file at 
> http://methlab.tech.nu/  that i have been recomended to deny packets from.  
> How do I  get  ip table to deny all these adrress  in one go  from text file 
> rather than manually typing in the addresses.
> 

It's a bit more involved than Denis provided, as the list from that site 
also includes ranges (e.g., 192.168.4.8-192.168.4.166), which can't be 
passed directly to iptables, and aren't at subnet boundries.

So the ranges need to be calculated. If you have Debian, you're in luck as 
there's a program called "netmask" that will do the working out. If not, 
you can download it from Debian's site at:
	http://packages.debian.org/testing/net/netmask.html

unpack it, then do a "./configure; make; make install" - it should build 
cleanly. You'll need to be root to do the final "make install". I'm not 
going to waste time trying to come up with something to do the work out the 
ranges when this is available :)

Back to the script, it's quite simple:

#!/bin/sh

for range in `cut -d: -f2 blacklist.txt | tr '-' ':'`
do
	for mask in `netmask -c $range`
	do
		iptables -A INPUT -t filter -s $mask -j DROP
	done
done
## end of script

Replace "blacklist.txt" with whatever the name of the file is as you have 
it. It expects to see a PLAIN TEXT list in the form:

	DESCRIPTION:lowip-highip

which seems to be how it's structured for both "Guarding.p2p" and 
"Plaintext" versions. Ironically, the plaintext link takes you to a HTML 
version of the plain text. The Guarding.p2p link though does seem to be a 
pure plain text file though.

Change the iptables syntax to suit your needs. $mask is the source address 
that you can pass to iptables.

Chris...

-- 
\ Chris Johnson           \ NP: Pink Floyd - 08. Coming Back To Life
 \ cej [at] nightwolf.org.uk    ~-----,   
  \ http://cej.nightwolf.org.uk/  ~-----------------------------------, 
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____



___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

References:
- [Sheflug] Dumb fire walling question
  - From: Sammy Redshaw

Prev by Date: Re: [Sheflug] Dumb fire walling question
Next by Date: [Sheflug] Windows NT and Windows 2000 Domains and Samba
Previous by thread: Re: [Sheflug] Dumb fire walling question
Next by thread: [Sheflug] SuSE 9.0
Index(es):
- Date
- Thread