On Tue, Sep 17, 2002 at 08:05:52PM -0400, Ryan Yagatich wrote: ... > > for iptables, you can do some logging and the such so you know when they > are attempting to connect: > > iptables -N kiddies > iptables -A kiddies -j LOG --log-prefix "Script Kiddie Log: " -m limit > --limit 1/m > iptables -A kiddies -j DROP ...
This is really nice. The only difficulty is that you lose the iptables information whenever iptables drops its tables (such as on a reboot). Here's a little script that lets you drop IP addresses (and subnets) using the approach Ryan layed out while also remembering the ip addresses so they can be dropped whenever you restart the system. The comments in the script show how this might be used if you (like me) set up iptables using the script /etc/rc.d/rc.firewall. -------------------------------------------------------- #!/bin/bash -f # # Drops one or more IP address ranges and remembers to drop them # whenever rc.firewall is rerun... IPTABLES=/sbin/iptables DDIR=/var/lib/drop_ips DFILE=${DDIR}/dropped_ip_addresses # (1) /etc/rc.d/rc.firewall must have the following defined! # (without being commented out, of course...) # ######################################################## #iptables -N kiddies #iptables -A kiddies -j LOG --log-prefix "Dropped IP Log: " -m limit \ # --limit 1/m #iptables -A kiddies -j DROP ######################################################## # (2) Also, append the following (again, without being commented out) # to /etc/rc.d/rc.firewall (note definition of DFILE must # match definition given above!) # ######################################################## #DFILE=/var/lib/drop_ips/dropped_ip_addresses #if [ -f "${DFILE}" ]; then # while read bad_ip; do # echo "Dropping '${bad_ip}'" # $IPTABLES -A INPUT -s ${bad_ip} -j kiddies # $IPTABLES -A FORWARD -s ${bad_ip} -j kiddies # done <${DFILE} #fi ######################################################## ### #### ### Real code begins here #### ### #### # Make sure 'persistence' file exists checkFile() { if [ ! -d ${DDIR} ]; then mkdir -p ${DDIR} fi if [ ! -f ${DFILE} ]; then touch ${DFILE} fi done # Drop the IP immediately doDrop() { ip=$1 if ! grep -q "$ip" ${DFILE}; then echo "Dropping connections from '$ip'" ${IPTABLES} -A INPUT -s $ip -j kiddies ${IPTABLES} -A FORWARD -s $ip -j kiddies else echo "Already dropped '$ip'" fi } # Remember to drop it again on reboot saveDrop() { ip=$1 if ! grep -q "$ip" ${DFILE}; then echo "Remembering to drop '$ip' in the future" echo "$ip" >>${DFILE} fi } checkFile for i in $*; do doDrop $i saveDrop $i done -------------------------------------------------- -Steve -- Steve Wampler {[EMAIL PROTECTED]} The gods that smiled upon your birth are laughing now. -- fortune cookie