Banning IP

Owdy · January 15, 2010, 8:43pm

Okay, if i want to block IP or range of IPs from my site, i should ad rule to firewall, right?

So what an earth i should ad in this screen?
http://img13.imageshack.us/img13/167/firewally.png

Eric · January 15, 2010, 8:50pm

There’s different ways to block a user; you could use the firewall, you can use “route” to reject ip’s, and you can add rules to the .htaccess file to block ip’s as well.

To use the screen you have above – you’d just select “Drop” next to “Action to take”, and then add the IP address to drop next to “Source Address or Network”.

Personally, I’m a fan of typing it out on the command line:

iptables -I INPUT -s IP_address_to_drop -j DROP

But, the above screen does the same thing

-Eric

Mahalo · January 30, 2010, 4:11am

I add single addresses almost daily and entire /16’s on some occasions.
To block a range, where you enter the IP you enter xxx.xxx.xxx.0/16 or /whatever.
Unfortunately it will add the rule at either the top or the bottom of your rules so if you are picky like me you need to either go into /etc/sysconfig/iptables and manually move it to where you like or you can move it one line at a time using the up and down single arrows next to the rule.

shuja_khan · February 1, 2010, 10:22pm

This is what I am using while searching for this solution.

http://www.experts-exchange.com/Security/Linux_Security/Q_20683396.html

Thanks to Klintan:

#!/bin/bash

if [ -f badips.txt ]
then
for BAD_IP in `cat badips.txt`
do
iptables -A INPUT -s $BAD_IP -j DROP
done
else
echo “Can’t read badips.txt”
fi

However I would prefer that you set default policy to DROP and then only accept the god ones.
Something like this.

This asumes that your network is 192.168.0.x

iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport bootps --sport bootpc -j DROP
iptables -A INPUT -i eth0 -p udp --dport bootps --sport bootpc -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp --dport bootps --sport bootpc -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED -j ACCEPT
iptables -A FORWARD -m state --state RELATED -j ACCEPT

iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT

Banning IP

if [ -f badips.txt ] then for BAD_IP in cat badips.txt do iptables -A INPUT -s $BAD_IP -j DROP done else echo “Can’t read badips.txt” fi

if [ -f godips.txt ] then for GOD_IP in cat godips.txt do iptables -A INPUT -s $GOD_IP -j ACCEPT done else echo “Can’t read godips.txt” fi

if [ -f badips.txt ]
then
for BAD_IP in `cat badips.txt`
do
iptables -A INPUT -s $BAD_IP -j DROP
done
else
echo “Can’t read badips.txt”
fi

if [ -f godips.txt ]
then
for GOD_IP in `cat godips.txt`
do
iptables -A INPUT -s $GOD_IP -j ACCEPT
done
else
echo “Can’t read godips.txt”
fi