[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sheflug] Dumb fire walling question
And Lo! The Great Prophet Sammy Redshaw uttered these words of wisdom:
> I have being given a list of ip addresses in a text file at
> http://methlab.tech.nu/ that i have been recomended to deny packets from.
> How do I get ip table to deny all these adrress in one go from text file
> rather than manually typing in the addresses.
>
It's a bit more involved than Denis provided, as the list from that site
also includes ranges (e.g., 192.168.4.8-192.168.4.166), which can't be
passed directly to iptables, and aren't at subnet boundries.
So the ranges need to be calculated. If you have Debian, you're in luck as
there's a program called "netmask" that will do the working out. If not,
you can download it from Debian's site at:
http://packages.debian.org/testing/net/netmask.html
unpack it, then do a "./configure; make; make install" - it should build
cleanly. You'll need to be root to do the final "make install". I'm not
going to waste time trying to come up with something to do the work out the
ranges when this is available :)
Back to the script, it's quite simple:
#!/bin/sh
for range in `cut -d: -f2 blacklist.txt | tr '-' ':'`
do
for mask in `netmask -c $range`
do
iptables -A INPUT -t filter -s $mask -j DROP
done
done
## end of script
Replace "blacklist.txt" with whatever the name of the file is as you have
it. It expects to see a PLAIN TEXT list in the form:
DESCRIPTION:lowip-highip
which seems to be how it's structured for both "Guarding.p2p" and
"Plaintext" versions. Ironically, the plaintext link takes you to a HTML
version of the plain text. The Guarding.p2p link though does seem to be a
pure plain text file though.
Change the iptables syntax to suit your needs. $mask is the source address
that you can pass to iptables.
Chris...
--
\ Chris Johnson \ NP: Pink Floyd - 08. Coming Back To Life
\ cej [at] nightwolf.org.uk ~-----,
\ http://cej.nightwolf.org.uk/ ~-----------------------------------,
\ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____
___________________________________________________________________
Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html
GNU the choice of a complete generation.