Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


iptables: Banning IPs from .txt file & adding them 'on the fly' ?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

iptables: Banning IPs from .txt file & adding them 'on the fly' ?

FreekFreek Member
edited January 2013 in Help

I run a gameserver and every now and then I have to deal with cheaters. For some reason these clowns manage to either nullify or spoof their GUIDs so that I cannot ban them the normal way. Therefore I have to ban their IPs and hope that they are retarded enough not to use a VPN or have a dynamic IP.
To do so I'm using iptables, with the following command:
iptables -A INPUT -s XXX.XXX.XXX.XXX -p udp -m udp --dport 28960:28965 -j DROP
However, I also want to give my friends the opportunity to ban cheaters when I'm not online. Therefore I'm looking for some sort of way/script to ban IP's.
Personally, I was thinking of storing IPs in an .txt file which I can have my friends edit using OneFileCMS or something. Then some cronjob should issue a script every minute so that these new IPs will be added to the firewall. My problem is however, how do I recursively load IPs from another file into iptables using the command above?
If you guys have any other suggestions I would love to hear them as well :)

Thanks!

Comments

  • create a web script (PHP) that only they have access to, to allow them to directly add an IP to your blacklist

  • DamianDamian Member
    edited January 2013

    @Freek said: My problem is however, how do I recursively load IPs from another file into iptables using the command above?

    With PHP, an extremely basic process is:

    <?php
    
    $file1 = "test.txt";
    $lines = file($file1);
    
    foreach($lines as $line_num => $line) {
    do_stuff();
    }
    
    ?>
    

    Where do_stuff would operate on each line, referenced as $line[$line_num].

    http://www.lowendtalk.com/discussion/4185/sshcheck.php-blocking-ssh-bruteforce-attempts-against-client-vps-containers is a script I wrote that could potentially be used as a basis.

  • flricharflrichar Member
    edited January 2013

    Iptables has a line option, if you knew that these rules would always be inserted after line 12, you could do something like

    iptables -I 12 INPUT -s ... (for inserting before line 12)
    

    or

    iptables -A 12 INPUT -s ... (for appending after line 12) 
    

    Please forgive my bad wiki kung fu.

  • Read file lines, run a foreach loop, then just do if remote addr is in the list, then redirect it to a blocked page or something(PHP).

  • iptables-restore data.txt

  • jarjar Patron Provider, Top Host, Veteran
  • WilliamWilliam Member
    edited January 2013

    file="/path/to/file.txt"
    existing_drop=$(iptables -L INPUT -n | grep DROP | grep 28965 | awk '{print $4}' | xargs)
    new_drop=$(cat $file | egrep -v '$existing_drop' | xargs)"
    for dropip in $new_drop; do iptables -A INPUT -s $dropip -p udp -m udp --dport 28960:28965 -j DROP; done

    Con: does not automatically remove IPs - needs at least 1 (fake) IP dropped all the time, else it does not work

  • @Freek i have sent you a PM

  • AnthonySmithAnthonySmith Member, Patron Provider
    edited January 2013

    Simple shell script

    #!/bin/sh
    # Script to add ip
    echo -n "Enter the IP to BAN and press [ENTER]:"
    read ip
    iptables -A INPUT -s $ip -p udp -m udp --dport 28960:28965 -j DROP
    
    #keep a record of the banned IP's if you want or comment out
    echo $ip >> /some/dir/ban.txt
    

    for a cron job based one with a txt file you can

    #!/bin/sh
    while read ipban
    do 
    iptables -A INPUT -s $ipban -p udp -m udp --dport 28960:28965 -j DROP
    done < /path/to/your/file.txt
    rm /path/to/your/file.txt # so you don't end up with duplicate rules
    
  • Thanks for all the replies guys, appreciate it!

    @gubbyte @curtisg That's the idea, sadly my scripting skills are very limited. Hence I'm asking for pointers i.e. examples here ;)

    @Damian I took a look at your other script but I can't seem to find exactly where the 'magic' is happening. The email stuff takes up a large part of the script.
    do_stuff is where the magic is supposed the happen, right?

    @flrichar I don't quite understand how this can be used in my situation?

    @jcaleb said: iptables-restore data.txt

    Lol, really, that easy? And what about duplicates? For example if I add this command as a cronjob and run it every minute, will it add the previous ones as well?

    @jarland I think csf is a bit overkill for what I'm trying to achieve.

    @William what do you mean by 'does not automatically remove IPs' ? Also a fake IP is no problem.

    @joodle replied!

    @AnthonySmith Wow, thanks! I'm looking for a cron based one, as my friends do not have/get access to SSH.
    I'm a bit confused by your script. The first line says 'while read ipban'. What does ipban do in that sentence? The file is supposed to be named file.txt, right?
    I see it removes the file afterwards to prevent duplicates. That's great, but if I restart the server, all IPs are gone, right?

    Thanks!

  • @Freek My point was just that, given a script, you can insert/append the iptables rules wherever you wanted. You could wipe out the entire list (using line numbers) or perhaps have a separate chain just for new ip addresses. Like perm-banned and temp-banned, etc.

  • AnthonySmithAnthonySmith Member, Patron Provider

    ipban just represents the variable which is the IP, it could say beans or flurbleburb :)

    what it does in simple terms is say, while reading ipban (ipban being the variable) do the following, it is 'done' when it has finished going through your txt file line by line, each line it reads becomes $ipban

    the txt file can be names what ever you want just update the script accordingly, that is correct though you should really save your iptables, to get around that you could use this instead.

    #!/bin/sh
    while read ipban
    do 
    iptables -A INPUT -s $ipban -p udp -m udp --dport 28960:28965 -j DROP
    done < /path/to/your/file.txt
    cat path/to/your/file.txt >> /root/perm-ban-list.txt
    rm /path/to/your/file.txt 
    
    

    Then on start up after a reboot you can just do

    cat /root/perm-ban-list.txt > /path/to/your/file.txt

    Its a little manual but you could build on it, if you need a hand with any simple scripts like this you can always drop me a PM.

  • curtisgcurtisg Banned
    edited January 2013

    @Freek
    little php script i just put together as an example(not best method, but easy one):
    http://pastebin.com/S2rWuhK1

  • jarjar Patron Provider, Top Host, Veteran

    @Freek said: I think csf is a bit overkill for what I'm trying to achieve.

    It's really pretty small, easy to configure, has a web interface.

  • Csf a web interface? Sweeeeet. Only worked in cli so far.

  • I think using IPset(http://ipset.netfilter.org/) module to ban thousands of IPs dynamically is much more better than pure-iptables commands.

  • if your iptables has xt_recent module, and you dont have to ban by subnet,
    -A INPUT -m recent --name BAN --rcheck -j DROP
    and
    echo "+1.2.3.4" > /proc/net/xt_recent/BAN
    will do without on the fly iptables rules.

  • why not make it a little easier with CSF as you can add it into a .txt to ban I believe with CSF.

  • @AnthonySmith indeed wins! Anthony and I discussed the script over email and Anthony has made some improvements. The latest and final version can be found here:

    http://pastebin.com/4JEbN28m

    Thanks once again Anthony, It works flawlessly !

  • raindog308raindog308 Administrator, Veteran

    I would run some sanity checks on the .txt - lots of opportunities for shell mischief.

    Also make sure someone doesn't put the server's IP in...

  • @raindog308 said: I would run some sanity checks on the .txt - lots of opportunities for shell mischief.

    Also make sure someone doesn't put the server's IP in...

    True, true. But still does the job I need it for.

Sign In or Register to comment.