Due to a number of issues, my organization is reviewing the ability to block certain country domains at the firewall. To be proactive, we want to automate that process via iptables & the CSV available at <http://ip-to-country.webhosting.info>. We have created a C program (IPCheck) in the /bin directory which, when given an IP long number, checks the ip-to-country CSV and returns a value for permit or not. We want to process the packet based on that return. I'm a relative newbie with iptables & scripts. Listed below is some very crude code, some of which is a verbal description of intent. Any suggestions on how to shore this up so that it will work? Or should this concept be a new module in iptables? # # ***** DROP BAD IPS ***** # /bin/IPCheck `grep -w "SRC =" | cut -d = -f 2` if return = "Bad IP" $IPT -A INPUT -$ETH0 $RATELIMIT -j INBADIPS ***** RULES - DROP BAD IPS ***** # ***** REVIEW LOG AT /var/log/iptables.log ***** # $IPT -A INBADIPS -j LOG --log-level debug --log-prefix "BADIP: " -j DROP Thanks in advance for your help. Gary McFall
