Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    iptables: Banning IPs from .txt file & adding them 'on the fly' ?
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    iptables: Banning IPs from .txt file & adding them 'on the fly' ?

    FreekFreek Member
    edited January 2013 in Help

    I run a gameserver and every now and then I have to deal with cheaters. For some reason these clowns manage to either nullify or spoof their GUIDs so that I cannot ban them the normal way. Therefore I have to ban their IPs and hope that they are retarded enough not to use a VPN or have a dynamic IP.
    To do so I'm using iptables, with the following command:
    iptables -A INPUT -s XXX.XXX.XXX.XXX -p udp -m udp --dport 28960:28965 -j DROP
    However, I also want to give my friends the opportunity to ban cheaters when I'm not online. Therefore I'm looking for some sort of way/script to ban IP's.
    Personally, I was thinking of storing IPs in an .txt file which I can have my friends edit using OneFileCMS or something. Then some cronjob should issue a script every minute so that these new IPs will be added to the firewall. My problem is however, how do I recursively load IPs from another file into iptables using the command above?
    If you guys have any other suggestions I would love to hear them as well :)

    Thanks!

    Linux noob willing to learn.

    Comments

    • create a web script (PHP) that only they have access to, to allow them to directly add an IP to your blacklist

    • DamianDamian Member
      edited January 2013

      @Freek said: My problem is however, how do I recursively load IPs from another file into iptables using the command above?

      With PHP, an extremely basic process is:

      <?php
      
      $file1 = "test.txt";
      $lines = file($file1);
      
      foreach($lines as $line_num => $line) {
      do_stuff();
      }
      
      ?>
      

      Where do_stuff would operate on each line, referenced as $line[$line_num].

      http://www.lowendtalk.com/discussion/4185/sshcheck.php-blocking-ssh-bruteforce-attempts-against-client-vps-containers is a script I wrote that could potentially be used as a basis.

    • flricharflrichar Member
      edited January 2013

      Iptables has a line option, if you knew that these rules would always be inserted after line 12, you could do something like

      iptables -I 12 INPUT -s ... (for inserting before line 12)
      

      or

      iptables -A 12 INPUT -s ... (for appending after line 12) 
      

      Please forgive my bad wiki kung fu.

    • Read file lines, run a foreach loop, then just do if remote addr is in the list, then redirect it to a blocked page or something(PHP).

    • jcalebjcaleb Moderator

      iptables-restore data.txt

    • WilliamWilliam Member, Provider
      edited January 2013

      file="/path/to/file.txt"
      existing_drop=$(iptables -L INPUT -n | grep DROP | grep 28965 | awk '{print $4}' | xargs)
      new_drop=$(cat $file | egrep -v '$existing_drop' | xargs)"
      for dropip in $new_drop; do iptables -A INPUT -s $dropip -p udp -m udp --dport 28960:28965 -j DROP; done

      Con: does not automatically remove IPs - needs at least 1 (fake) IP dropped all the time, else it does not work

    • @Freek i have sent you a PM

    • AnthonySmithAnthonySmith Top Provider
      edited January 2013

      Simple shell script

      #!/bin/sh
      # Script to add ip
      echo -n "Enter the IP to BAN and press [ENTER]:"
      read ip
      iptables -A INPUT -s $ip -p udp -m udp --dport 28960:28965 -j DROP
      
      #keep a record of the banned IP's if you want or comment out
      echo $ip >> /some/dir/ban.txt
      

      for a cron job based one with a txt file you can

      #!/bin/sh
      while read ipban
      do 
      iptables -A INPUT -s $ipban -p udp -m udp --dport 28960:28965 -j DROP
      done < /path/to/your/file.txt
      rm /path/to/your/file.txt # so you don't end up with duplicate rules
      
    • Thanks for all the replies guys, appreciate it!

      @gubbyte @curtisg That's the idea, sadly my scripting skills are very limited. Hence I'm asking for pointers i.e. examples here ;)

      @Damian I took a look at your other script but I can't seem to find exactly where the 'magic' is happening. The email stuff takes up a large part of the script.
      do_stuff is where the magic is supposed the happen, right?

      @flrichar I don't quite understand how this can be used in my situation?

      @jcaleb said: iptables-restore data.txt

      Lol, really, that easy? And what about duplicates? For example if I add this command as a cronjob and run it every minute, will it add the previous ones as well?

      @jarland I think csf is a bit overkill for what I'm trying to achieve.

      @William what do you mean by 'does not automatically remove IPs' ? Also a fake IP is no problem.

      @joodle replied!

      @AnthonySmith Wow, thanks! I'm looking for a cron based one, as my friends do not have/get access to SSH.
      I'm a bit confused by your script. The first line says 'while read ipban'. What does ipban do in that sentence? The file is supposed to be named file.txt, right?
      I see it removes the file afterwards to prevent duplicates. That's great, but if I restart the server, all IPs are gone, right?

      Thanks!

      Linux noob willing to learn.

    • @Freek My point was just that, given a script, you can insert/append the iptables rules wherever you wanted. You could wipe out the entire list (using line numbers) or perhaps have a separate chain just for new ip addresses. Like perm-banned and temp-banned, etc.

    • AnthonySmithAnthonySmith Top Provider

      ipban just represents the variable which is the IP, it could say beans or flurbleburb :)

      what it does in simple terms is say, while reading ipban (ipban being the variable) do the following, it is 'done' when it has finished going through your txt file line by line, each line it reads becomes $ipban

      the txt file can be names what ever you want just update the script accordingly, that is correct though you should really save your iptables, to get around that you could use this instead.

      #!/bin/sh
      while read ipban
      do 
      iptables -A INPUT -s $ipban -p udp -m udp --dport 28960:28965 -j DROP
      done < /path/to/your/file.txt
      cat path/to/your/file.txt >> /root/perm-ban-list.txt
      rm /path/to/your/file.txt 
      
      

      Then on start up after a reboot you can just do

      cat /root/perm-ban-list.txt > /path/to/your/file.txt

      Its a little manual but you could build on it, if you need a hand with any simple scripts like this you can always drop me a PM.

    • curtisgcurtisg Banned
      edited January 2013

      @Freek
      little php script i just put together as an example(not best method, but easy one):
      http://pastebin.com/S2rWuhK1

    • jarjar Provider

      @Freek said: I think csf is a bit overkill for what I'm trying to achieve.

      It's really pretty small, easy to configure, has a web interface.

    • Csf a web interface? Sweeeeet. Only worked in cli so far.

      Servitor.io - Server and website monitoring. Free to use!

    • I think using IPset(http://ipset.netfilter.org/) module to ban thousands of IPs dynamically is much more better than pure-iptables commands.

    • if your iptables has xt_recent module, and you dont have to ban by subnet,
      -A INPUT -m recent --name BAN --rcheck -j DROP
      and
      echo "+1.2.3.4" > /proc/net/xt_recent/BAN
      will do without on the fly iptables rules.

    • why not make it a little easier with CSF as you can add it into a .txt to ban I believe with CSF.

      RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
      SamuraiBit Security
    • @AnthonySmith indeed wins! Anthony and I discussed the script over email and Anthony has made some improvements. The latest and final version can be found here:

      http://pastebin.com/4JEbN28m

      Thanks once again Anthony, It works flawlessly !

      Linux noob willing to learn.

    • mikhomikho Member, Provider
      Get a LES NAT VPS! (or 10) in United States (3), Germany, Bulgaria, France, Norway, Australia (2), Singapore. | -> 500gb NAT Storage
    • I would run some sanity checks on the .txt - lots of opportunities for shell mischief.

      Also make sure someone doesn't put the server's IP in...

      For LET support, please click here.

    • @raindog308 said: I would run some sanity checks on the .txt - lots of opportunities for shell mischief.

      Also make sure someone doesn't put the server's IP in...

      True, true. But still does the job I need it for.

      Linux noob willing to learn.

    Sign In or Register to comment.