iptables: Banning IPs from .txt file & adding them 'on the fly' ?

Freek

I run a gameserver and every now and then I have to deal with cheaters. For some reason these clowns manage to either nullify or spoof their GUIDs so that I cannot ban them the normal way. Therefore I have to ban their IPs and hope that they are retarded enough not to use a VPN or have a dynamic IP.
To do so I'm using iptables, with the following command:
iptables -A INPUT -s XXX.XXX.XXX.XXX -p udp -m udp --dport 28960:28965 -j DROP
However, I also want to give my friends the opportunity to ban cheaters when I'm not online. Therefore I'm looking for some sort of way/script to ban IP's.
Personally, I was thinking of storing IPs in an .txt file which I can have my friends edit using OneFileCMS or something. Then some cronjob should issue a script every minute so that these new IPs will be added to the firewall. My problem is however, how do I recursively load IPs from another file into iptables using the command above?
If you guys have any other suggestions I would love to hear them as well

Thanks!

gubbyte

create a web script (PHP) that only they have access to, to allow them to directly add an IP to your blacklist

Damian

@Freek said: My problem is however, how do I recursively load IPs from another file into iptables using the command above?

With PHP, an extremely basic process is:

<?php

$file1 = "test.txt";
$lines = file($file1);

foreach($lines as $line_num => $line) {
do_stuff();
}

?>

Where do_stuff would operate on each line, referenced as $line[$line_num].

http://www.lowendtalk.com/discussion/4185/sshcheck.php-blocking-ssh-bruteforce-attempts-against-client-vps-containers is a script I wrote that could potentially be used as a basis.

flrichar

Iptables has a line option, if you knew that these rules would always be inserted after line 12, you could do something like

iptables -I 12 INPUT -s ... (for inserting before line 12)

or

iptables -A 12 INPUT -s ... (for appending after line 12) 

Please forgive my bad wiki kung fu.

curtisg

Read file lines, run a foreach loop, then just do if remote addr is in the list, then redirect it to a blocked page or something(PHP).

jcaleb

iptables-restore data.txt

jar

http://configserver.com/cp/csf.html

William

file="/path/to/file.txt"
existing_drop=$(iptables -L INPUT -n | grep DROP | grep 28965 | awk '{print $4}' | xargs)
new_drop=$(cat $file | egrep -v '$existing_drop' | xargs)"
for dropip in $new_drop; do iptables -A INPUT -s $dropip -p udp -m udp --dport 28960:28965 -j DROP; done

Con: does not automatically remove IPs - needs at least 1 (fake) IP dropped all the time, else it does not work

BlazeMuis

@Freek i have sent you a PM

AnthonySmith

Simple shell script

#!/bin/sh
# Script to add ip
echo -n "Enter the IP to BAN and press [ENTER]:"
read ip
iptables -A INPUT -s $ip -p udp -m udp --dport 28960:28965 -j DROP

#keep a record of the banned IP's if you want or comment out
echo $ip >> /some/dir/ban.txt

for a cron job based one with a txt file you can

#!/bin/sh
while read ipban
do 
iptables -A INPUT -s $ipban -p udp -m udp --dport 28960:28965 -j DROP
done < /path/to/your/file.txt
rm /path/to/your/file.txt # so you don't end up with duplicate rules

Freek

Thanks for all the replies guys, appreciate it!

@gubbyte @curtisg That's the idea, sadly my scripting skills are very limited. Hence I'm asking for pointers i.e. examples here

@Damian I took a look at your other script but I can't seem to find exactly where the 'magic' is happening. The email stuff takes up a large part of the script.
do_stuff is where the magic is supposed the happen, right?

@flrichar I don't quite understand how this can be used in my situation?

@jcaleb said: iptables-restore data.txt

Lol, really, that easy? And what about duplicates? For example if I add this command as a cronjob and run it every minute, will it add the previous ones as well?

@jarland I think csf is a bit overkill for what I'm trying to achieve.

@William what do you mean by 'does not automatically remove IPs' ? Also a fake IP is no problem.

@joodle replied!

@AnthonySmith Wow, thanks! I'm looking for a cron based one, as my friends do not have/get access to SSH.
I'm a bit confused by your script. The first line says 'while read ipban'. What does ipban do in that sentence? The file is supposed to be named file.txt, right?
I see it removes the file afterwards to prevent duplicates. That's great, but if I restart the server, all IPs are gone, right?

Thanks!

flrichar

@Freek My point was just that, given a script, you can insert/append the iptables rules wherever you wanted. You could wipe out the entire list (using line numbers) or perhaps have a separate chain just for new ip addresses. Like perm-banned and temp-banned, etc.

AnthonySmith

ipban just represents the variable which is the IP, it could say beans or flurbleburb

what it does in simple terms is say, while reading ipban (ipban being the variable) do the following, it is 'done' when it has finished going through your txt file line by line, each line it reads becomes $ipban

the txt file can be names what ever you want just update the script accordingly, that is correct though you should really save your iptables, to get around that you could use this instead.

#!/bin/sh
while read ipban
do 
iptables -A INPUT -s $ipban -p udp -m udp --dport 28960:28965 -j DROP
done < /path/to/your/file.txt
cat path/to/your/file.txt >> /root/perm-ban-list.txt
rm /path/to/your/file.txt 

Then on start up after a reboot you can just do

cat /root/perm-ban-list.txt > /path/to/your/file.txt

Its a little manual but you could build on it, if you need a hand with any simple scripts like this you can always drop me a PM.

Damian

@AnthonySmith wins!

curtisg

@Freek
little php script i just put together as an example(not best method, but easy one):
http://pastebin.com/S2rWuhK1

jar

@Freek said: I think csf is a bit overkill for what I'm trying to achieve.

It's really pretty small, easy to configure, has a web interface.

taronyu

Csf a web interface? Sweeeeet. Only worked in cli so far.

tinyX

I think using IPset(http://ipset.netfilter.org/) module to ban thousands of IPs dynamically is much more better than pure-iptables commands.

cause

if your iptables has xt_recent module, and you dont have to ban by subnet,
-A INPUT -m recent --name BAN --rcheck -j DROP
and
echo "+1.2.3.4" > /proc/net/xt_recent/BAN
will do without on the fly iptables rules.

MonsteR

why not make it a little easier with CSF as you can add it into a .txt to ban I believe with CSF.

Freek

@Damian said: @AnthonySmith wins!

@AnthonySmith indeed wins! Anthony and I discussed the script over email and Anthony has made some improvements. The latest and final version can be found here:

http://pastebin.com/4JEbN28m

Thanks once again Anthony, It works flawlessly !

mikho

I also wrote about it here
http://www.lowendguide.com/scripts/easy-add-ip-to-be-blocked-by-iptables/

raindog308

I would run some sanity checks on the .txt - lots of opportunities for shell mischief.

Also make sure someone doesn't put the server's IP in...

Freek

@raindog308 said: I would run some sanity checks on the .txt - lots of opportunities for shell mischief.

Also make sure someone doesn't put the server's IP in...

True, true. But still does the job I need it for.