Blocking the Bad Guys Using iptables Rule
Published January 31st, 2009Problem Statement
Say you found out that a Web crawler from an unsavory spam organization is crawling your Web site for harvesting information such a email addresses and captcha-free Web forms. You have to take action and disable such a beast from using up your bandwidth and server resources. There are many options to fight such a low-life but the easiest one is to block the IP address of the offender. Here in this article, we will show you how to use a simple shell script that you can use to do so.
Step 1: Creating a simple shell script called block_ip.sh
The purpose of this shell script is to read a text file that has a list of IP address or IP networks and block them using iptables. Here is a simplified version of this shell script:
#!/bin/sh # Filename: block_ip.sh # Purpose: blocks all IP address/network found in a text file # The text file must have one IP address or network per line ################################################################# # Change the following path/filename to match yours IP_LIST_FILE=/path/to/bad.ip.txt ################################################################# # Don't change anything below unless you are a smarty pant! ################################################################# IPTABLES_BIN=/sbin/iptables # Get the IP address/network from the file and ignore any line starting with # (comments) BAD_IP_ADDR_LIST=$(grep -Ev "^#" $IP_LIST_FILE) # Now loop through the IP address/network list and ban them using iptabels for i in $BAD_IP_ADDR_LIST do echo -n "Blocking $i ..."; $IPTABLES_BIN -A INPUT -s $i -j DROP $IPTABLES_BIN -A OUTPUT -d $i -j DROP echo "DONE."; done ################################################################## # END OF SCRIPT - NOTHING TO SEE HERE - THAT'S ALL FOLKS! ##################################################################
Make sure you make this script executable by changing the permission using chmod 750 block_ip.sh command.
Step 2: Creating your IP address or network block data file
Now create a text file with the same filename in the path you stated in IP_LIST_FILE line in the above-mentioned script. An example of such a file is shown below:
# Block a bogus IP address 200.100.1.100 # Block a bogus IP network 130.86.1.0/24
After creating the file, you are ready to block the IP addresses/networks by running the shell script as follows:
# sh /path/to/block_ip.sh
This will block the IP addresses/network mentioned in the file using iptables.
Verifying the IP blocks
To verify that these IP addresses/networks are blocked, run:
# iptables -L -n
You should see the blocked IP addresses/networks in your INPUT and OUTPUT chains, which basically tells CentOS to ignore incoming or outgoing packets to the named IP addresses or networks.
mn on February 10, 2009
IPTABLES_BIN=/sbin/iptables
invocation is incorrect:
$IPTABLES -A INPUT -s $i -j DROP
$IPTABLES -A OUTPUT -d $i -j DROP
^
———| needs _BIN
Brendan Lally on February 19, 2009
Your IPTABLES_BIN=/sbin/iptables
needs 2b IPTABLES=/sbin/iptables