Easy add IP to be blocked by iptables

Following up on the post on how to loop thru a file and perform an action per line, which you can find here


There is a case when this is useful, adding IPs from a text file into iptables and block their access to your VPS or dedicated server.

if you break down this command with its parameters (iptables being the command)

iptables -A INPUT -s XXX.XXX.XXX.XXX -p udp -m udp --dport 28960:28965 -j DROP
ParameterExplanation
-AAppend this to existing rules
INPUTThe chain where the rule should be added into
-s XXX.XXX.XXX.XXX-s Sets the source for a particular packet, in this case the ip of XXX.XXX.XXX.XXX
-p udp-p = Sets the IP protocol for the rule, which can be either icmp, tcp, udp, or all, to match every possible protocol. If this option is omitted when creating a rule, the all option is the default.
-m udp-m = match option
Different network protocols provide specialized matching options which may be set in specific ways to match a particular packet using that protocol. Of course, the protocol must first be specified in the iptables command, such as using -p tcp , to make the options for that protocol available.
–dport 28960:28965–dport Specifies the destination port of the UDP packet, using the service name, port number, or range of port numbers. The –destination-port match option may be used instead of –dport.
To specify a specific range of port numbers, separate the two numbers with a colon (:), such as our example.
You may also use an exclamation point character (!) as a flag after the –dport option to tell iptables to match all packets which do not use that network service or port.
-j DROP-j Tells iptables to jump to a particular target when a packet matches a particular rule. Valid targets to be used include the standard options, ACCEPT, DROP, QUEUE, and RETURN, as well as extended options that are available through modules loaded, such as LOG, MARK, and REJECT, among others.If no target is specified, the packet moves past the rule with no action taken. However, the counter for this rule is still increased by 1, as the packet matched the specified rule.
in our example we use DROP — The system that sent the packet is not notified of the failure. The packet is simply removed from the rule checking the chain and discarded.

This command will DROP connections from IP XXX.XXX.XXX.XXX on udp port 28960:28965

If you want to block all connections from a specific IP, no matter what port it tries to connect to, omit the -p -m and –dport parameters. This will look like this

iptables -A INPUT -s XXX.XXX.XXX.XXX -j DROP

You might ask when are we going to loop thru the file?

#!/bin/sh
 
# This will loop thru the file /ban/banip.txt and add every IP in that 
# file with a DROP to the INPUT chain in iptables.
#
# change the path and file name if required
 
# you can re-run this file if you are not saving your iptables config 
# between reboots. 
while read blist
do
/sbin/iptables -A INPUT -s $blist -j DROP && sleep 2
echo $blist has been added to your iptables

done < /ban/banip.txt

To add a single IP to the block list in iptables and add the IP to your text file, you could use a simple shell script like this

#!/bin/sh
# Script to add ip
echo -n "Enter the IP to BAN and press [ENTER]:"
read ip
/sbin/iptables -A INPUT -s $ip -j DROP
 
#keep a record of the banned IP's if you want or comment out
echo $ip >> /ban/banip.txt
# Make sure you use the same path and filename as in the loop script

This is a quick and dirty way to keep a list of IPs you would like to block access from.

I’m sure that the readers have more sophisticated and innovative ways to add their own list of IPs to iptables.

Comment with how you do it and why you do it the way you do.

Default image
mikho
Swedish Viking, also known as the NAT King (by others). Owner of mrvm.net and part of the administrator team of LowEndSpirit.
Articles: 7

One comment

  1. nice breakdown and just wanted to add you can use *ipset* to manage ip sets. It has the advantage of adding a live ip without reloading the whole file.

    maybe this can be a new upcoming article 🙂

Leave a Reply