On Tue, Sep 17, 2002 at 08:05:52PM -0400, Ryan Yagatich wrote:
...
>
> for iptables, you can do some logging and the such so you know when they
> are attempting to connect:
>
> iptables -N kiddies
> iptables -A kiddies -j LOG --log-prefix "Script Kiddie Log: " -m limit
> --limit 1/m
> iptables -A kiddies -j DROP
...
This is really nice. The only difficulty is that you lose the
iptables information whenever iptables drops its tables (such
as on a reboot). Here's a little script that lets you drop
IP addresses (and subnets) using the approach Ryan layed out
while also remembering the ip addresses so they can be
dropped whenever you restart the system. The comments in
the script show how this might be used if you (like me)
set up iptables using the script /etc/rc.d/rc.firewall.
--------------------------------------------------------
#!/bin/bash -f
#
# Drops one or more IP address ranges and remembers to drop them
# whenever rc.firewall is rerun...
IPTABLES=/sbin/iptables
DDIR=/var/lib/drop_ips
DFILE=${DDIR}/dropped_ip_addresses
# (1) /etc/rc.d/rc.firewall must have the following defined!
# (without being commented out, of course...)
#
########################################################
#iptables -N kiddies
#iptables -A kiddies -j LOG --log-prefix "Dropped IP Log: " -m limit \
# --limit 1/m
#iptables -A kiddies -j DROP
########################################################
# (2) Also, append the following (again, without being commented out)
# to /etc/rc.d/rc.firewall (note definition of DFILE must
# match definition given above!)
#
########################################################
#DFILE=/var/lib/drop_ips/dropped_ip_addresses
#if [ -f "${DFILE}" ]; then
# while read bad_ip; do
# echo "Dropping '${bad_ip}'"
# $IPTABLES -A INPUT -s ${bad_ip} -j kiddies
# $IPTABLES -A FORWARD -s ${bad_ip} -j kiddies
# done <${DFILE}
#fi
########################################################
### ####
### Real code begins here ####
### ####
# Make sure 'persistence' file exists
checkFile() {
if [ ! -d ${DDIR} ]; then
mkdir -p ${DDIR}
fi
if [ ! -f ${DFILE} ]; then
touch ${DFILE}
fi
done
# Drop the IP immediately
doDrop() {
ip=$1
if ! grep -q "$ip" ${DFILE}; then
echo "Dropping connections from '$ip'"
${IPTABLES} -A INPUT -s $ip -j kiddies
${IPTABLES} -A FORWARD -s $ip -j kiddies
else
echo "Already dropped '$ip'"
fi
}
# Remember to drop it again on reboot
saveDrop() {
ip=$1
if ! grep -q "$ip" ${DFILE}; then
echo "Remembering to drop '$ip' in the future"
echo "$ip" >>${DFILE}
fi
}
checkFile
for i in $*; do
doDrop $i
saveDrop $i
done
--------------------------------------------------
-Steve
--
Steve Wampler {[EMAIL PROTECTED]}
The gods that smiled upon your birth are laughing now. -- fortune cookie
