iptables: Banning IPs from .txt file & adding them 'on the fly' ?
I run a gameserver and every now and then I have to deal with cheaters. For some reason these clowns manage to either nullify or spoof their GUIDs so that I cannot ban them the normal way. Therefore I have to ban their IPs and hope that they are retarded enough not to use a VPN or have a dynamic IP.
To do so I'm using iptables, with the following command:
iptables -A INPUT -s XXX.XXX.XXX.XXX -p udp -m udp --dport 28960:28965 -j DROP
However, I also want to give my friends the opportunity to ban cheaters when I'm not online. Therefore I'm looking for some sort of way/script to ban IP's.
Personally, I was thinking of storing IPs in an .txt file which I can have my friends edit using OneFileCMS or something. Then some cronjob should issue a script every minute so that these new IPs will be added to the firewall. My problem is however, how do I recursively load IPs from another file into iptables using the command above?
If you guys have any other suggestions I would love to hear them as well
Thanks!
Linux noob willing to learn.
Comments
create a web script (PHP) that only they have access to, to allow them to directly add an IP to your blacklist
With PHP, an extremely basic process is:
Where do_stuff would operate on each line, referenced as $line[$line_num].
http://www.lowendtalk.com/discussion/4185/sshcheck.php-blocking-ssh-bruteforce-attempts-against-client-vps-containers is a script I wrote that could potentially be used as a basis.
Iptables has a line option, if you knew that these rules would always be inserted after line 12, you could do something like
or
Please forgive my bad wiki kung fu.
-- Geexology VPS
Read file lines, run a foreach loop, then just do if remote addr is in the list, then redirect it to a blocked page or something(PHP).
iptables-restore data.txt
http://configserver.com/cp/csf.html
https://mxroute.blackfriday/
file="/path/to/file.txt"
existing_drop=$(iptables -L INPUT -n | grep DROP | grep 28965 | awk '{print $4}' | xargs)
new_drop=$(cat $file | egrep -v '$existing_drop' | xargs)"
for dropip in $new_drop; do iptables -A INPUT -s $dropip -p udp -m udp --dport 28960:28965 -j DROP; done
Con: does not automatically remove IPs - needs at least 1 (fake) IP dropped all the time, else it does not work
IP6.IM
@Freek i have sent you a PM
Simple shell script
for a cron job based one with a txt file you can
I am no longer active here, find me at https://talk.lowendspirit.com
Thanks for all the replies guys, appreciate it!
@gubbyte @curtisg That's the idea, sadly my scripting skills are very limited. Hence I'm asking for pointers i.e. examples here
@Damian I took a look at your other script but I can't seem to find exactly where the 'magic' is happening. The email stuff takes up a large part of the script.
do_stuff is where the magic is supposed the happen, right?
@flrichar I don't quite understand how this can be used in my situation?
Lol, really, that easy? And what about duplicates? For example if I add this command as a cronjob and run it every minute, will it add the previous ones as well?
@jarland I think csf is a bit overkill for what I'm trying to achieve.
@William what do you mean by 'does not automatically remove IPs' ? Also a fake IP is no problem.
@joodle replied!
@AnthonySmith Wow, thanks! I'm looking for a cron based one, as my friends do not have/get access to SSH.
I'm a bit confused by your script. The first line says 'while read ipban'. What does ipban do in that sentence? The file is supposed to be named file.txt, right?
I see it removes the file afterwards to prevent duplicates. That's great, but if I restart the server, all IPs are gone, right?
Thanks!
Linux noob willing to learn.
@Freek My point was just that, given a script, you can insert/append the iptables rules wherever you wanted. You could wipe out the entire list (using line numbers) or perhaps have a separate chain just for new ip addresses. Like perm-banned and temp-banned, etc.
-- Geexology VPS
ipban just represents the variable which is the IP, it could say beans or flurbleburb
what it does in simple terms is say, while reading ipban (ipban being the variable) do the following, it is 'done' when it has finished going through your txt file line by line, each line it reads becomes $ipban
the txt file can be names what ever you want just update the script accordingly, that is correct though you should really save your iptables, to get around that you could use this instead.
Then on start up after a reboot you can just do
cat /root/perm-ban-list.txt > /path/to/your/file.txt
Its a little manual but you could build on it, if you need a hand with any simple scripts like this you can always drop me a PM.
I am no longer active here, find me at https://talk.lowendspirit.com
@AnthonySmith wins!
@Freek
little php script i just put together as an example(not best method, but easy one):
http://pastebin.com/S2rWuhK1
It's really pretty small, easy to configure, has a web interface.
https://mxroute.blackfriday/
Csf a web interface? Sweeeeet. Only worked in cli so far.
Servitor.io - Server and website monitoring. Free to use!
I think using IPset(http://ipset.netfilter.org/) module to ban thousands of IPs dynamically is much more better than pure-iptables commands.
if your iptables has xt_recent module, and you dont have to ban by subnet,
-A INPUT -m recent --name BAN --rcheck -j DROP
and
echo "+1.2.3.4" > /proc/net/xt_recent/BAN
will do without on the fly iptables rules.
why not make it a little easier with CSF as you can add it into a .txt to ban I believe with CSF.
SamuraiBit Security
@AnthonySmith indeed wins! Anthony and I discussed the script over email and Anthony has made some improvements. The latest and final version can be found here:
http://pastebin.com/4JEbN28m
Thanks once again Anthony, It works flawlessly !
Linux noob willing to learn.
I also wrote about it here
http://www.lowendguide.com/scripts/easy-add-ip-to-be-blocked-by-iptables/
or on twitter
Come say HI!
I would run some sanity checks on the .txt - lots of opportunities for shell mischief.
Also make sure someone doesn't put the server's IP in...
For LET support, please visit the support desk.
Also make sure someone doesn't put the server's IP in...
True, true. But still does the job I need it for.
Linux noob willing to learn.